From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from wtarreau.pck.nerim.net ([62.212.114.60]:64268 "EHLO 1wt.eu"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S933079AbcAKQYv (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Mon, 11 Jan 2016 11:24:51 -0500
Date: Mon, 11 Jan 2016 17:24:44 +0100
From: Willy Tarreau <w@1wt.eu>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org, torvalds@linux-foundation.org,
	socketpair@gmail.com
Subject: Re: [PATCH v2] pipe: limit the per-user amount of pages allocated in pipes
Message-ID: <20160111162444.GA20163@1wt.eu>
References: <201601111226.u0BCQ1gv031473@mail.home.local> <201601120119.JHB51017.JFOFtSOLOMHVFQ@I-love.SAKURA.ne.jp>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201601120119.JHB51017.JFOFtSOLOMHVFQ@I-love.SAKURA.ne.jp>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Tue, Jan 12, 2016 at 01:19:00AM +0900, Tetsuo Handa wrote:
> Willy Tarreau wrote:
> > @@ -1066,7 +1094,8 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
> >  		if (!nr_pages)
> >  			goto out;
> >  
> > -		if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
> > +		if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN) &&
> > +		    (size > pipe_max_size || too_many_pipe_buffers(pipe->user))) {
> >  			ret = -EPERM;
> >  			goto out;
> >  		}
> 
> I think we should not check capable(CAP_SYS_ADMIN) for size > pipe_max_size
> case, for checking capable(CAP_SYS_ADMIN) needlessly generates audit logs and
> also loosens permission required for setting size > pipe_max_size.
> 
> Also, I think we should not check capable(CAP_SYS_ADMIN) unless
> too_many_pipe_buffers(pipe->user) is true, for checking capable(CAP_SYS_ADMIN)
> needlessly generates audit logs.
> 
> Since too_many_unix_fds() requires capable(CAP_SYS_ADMIN) || capable(CAP_SYS_ADMIN),
> I think what we want is something like below?
> 
>   if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
>   	ret = -EPERM;
>   	goto out;
>   } else if (too_many_pipe_buffers(pipe->user) &&
>   	     !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
>   	ret = -EPERM;
>   	goto out;
>   }

OK that works for me. Do you have an opinion regarding my other proposal of
soft vs hard limit ?

Thanks,
Willy