Re: Capability tests in netlink and oom_kill

• Previous message: Chris Wright: "Re: Capability tests in netlink and oom_kill"
• In reply to: Stephen Smalley: "Capability tests in netlink and oom_kill"
• Next in thread: Stephen Smalley: "Re: Capability tests in netlink and oom_kill"
• Reply: Stephen Smalley: "Re: Capability tests in netlink and oom_kill"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 21 Aug 2001, Stephen Smalley wrote:

> The second case occurs in the code to kill a process when the system
> is out of memory (mm/oom_kill.c).  The badness function tries to
> avoid killing privileged processes by reducing the badness value
> when the process has CAP_SYS_ADMIN, CAP_SYS_RAWIO or has the superuser
> identity.  The oom_kill_task function sends a SIGTERM rather than
> a SIGKILL if the process has CAP_SYS_RAWIO.  We could replace
> these hardcoded tests with hook calls in badness and oom_kill_task.

In the oom_kill functions, it appears that we could simply use the
existing security_ops->capable hook rather than defining a new hook,
since the capable hook allows us to explicitly pass the task_struct.
LSM already uses the same approach to replace the cap_raised test
in fs/exec.c:must_not_trace_exec.  See the attached patch for the
necessary changes to the oom_kill functions.

The only potential area for concern is that in one case,
oom_kill doesn't just test for a capability - it tests
for CAP_SYS_ADMIN or uid 0 or euid 0.  The attached patch
doesn't preserve the exact semantics in that case.   To do so,
we would need a separate hook for that particular test. 

Comments?

--
Stephen D. Smalley, NAI Labs
ssmalleyat_private






diff -X /home/sds/dontdiff -ru lsm-wirex/mm/oom_kill.c lsm/mm/oom_kill.c
--- lsm-wirex/mm/oom_kill.c	Fri Aug 17 09:21:49 2001
+++ lsm/mm/oom_kill.c	Tue Aug 21 15:06:30 2001
@@ -89,8 +89,7 @@
 	 * Superuser processes are usually more important, so we make it
 	 * less likely that we kill those.
 	 */
-	if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_ADMIN) ||
-				p->uid == 0 || p->euid == 0)
+	if (!security_ops->capable(p,CAP_SYS_ADMIN))
 		points /= 4;
 
 	/*
@@ -99,7 +98,7 @@
 	 * tend to only have this flag set on applications they think
 	 * of as important.
 	 */
-	if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_RAWIO))
+	if (!security_ops->capable(p,CAP_SYS_RAWIO))
 		points /= 4;
 #ifdef DEBUG
 	printk(KERN_DEBUG "OOMkill: task %d (%s) got %d points\n",
@@ -153,7 +152,7 @@
 	p->flags |= PF_MEMALLOC;
 
 	/* This process has hardware access, be more careful. */
-	if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_RAWIO)) {
+	if (!security_ops->capable(p,CAP_SYS_RAWIO)) {
 		force_sig(SIGTERM, p);
 	} else {
 		force_sig(SIGKILL, p);

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Stephen Smalley: "Re: Capability tests in netlink and oom_kill"
• Previous message: Chris Wright: "Re: Capability tests in netlink and oom_kill"
• In reply to: Stephen Smalley: "Capability tests in netlink and oom_kill"
• Next in thread: Stephen Smalley: "Re: Capability tests in netlink and oom_kill"
• Reply: Stephen Smalley: "Re: Capability tests in netlink and oom_kill"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 12:22:34 PDT