Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

From: Stephen Smalley (sds@private)
Date: Mon Oct 18 2004 - 06:49:16 PDT


On Mon, 2004-10-18 at 08:43, Thomas Bleher wrote:
> cdrecord deadlocks linux 2.6.8.1:
> 
> I have just written selinux policy for cdrecord. While writing this 
> policy cdrecord constantly locked up the computer (even in permissive
> mode). When booting with selinux=0 the problem went away.
> 
> After digging around for a while, the following seems to be happening:
> * cdrecord calls sched_setscheduler()
> * setscheduler (in kernel/sched.c) asks for CAP_SYS_NICE
> * cdrecord doesn't have this capability
> * selinux generates an audit message ==> deadlock
> 
> When I grant cdrecord CAP_SYS_NICE everything works fine.
> I think SELinux shouldn't generate a log message in this case; like it
> is already suppressed for setsched.
> 
> To test, add the attached policy, remove sys_nice from the allowed caps
> and simply call cdrecord without parameters.

Suppressing auditing entirely is undesirable as it makes policy
debugging very difficult.  I think we need to either:
a) Add a flag to avc_audit(), optionally passed via avc_audit_data, that
tells it to use audit_log_end_irq() so that it merely enqueues the audit
message for later processing, and change capable and setscheduler hooks
to pass this flag, or 
b) Move the security checks in setscheduler outside of the runqueue
lock, then just recheck that no security-relevant conditions changed
after taking the lock.

Thoughts?

-- 
Stephen Smalley <sds@private>
National Security Agency



This archive was generated by hypermail 2.1.3 : Mon Oct 18 2004 - 06:53:04 PDT