fanotify: avoid/silence premature LSM capability checks

Make sure calling capable()/ns_capable() actually leads to access denied
when false is returned, because these functions emit an audit record
when a Linux Security Module denies the capability, which makes it
difficult to avoid allowing/silencing unnecessary permissions in
security policies (namely with SELinux).

Where the return value just used to set a flag, use the non-auditing
ns_capable_noaudit() instead.

Fixes: 7cea2a3c505e ("fanotify: support limited functionality for unprivileged users")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Link: https://patch.msgid.link/20260216150625.793013-2-omosnace@redhat.com
Signed-off-by: Jan Kara <jack@suse.cz>

diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index c2dcb25151deb2a02890da3078eee2a502d21b8a..5d030fbb2dffebbe3bd664a5f4b90b4ce93d5f59 100644 (file)
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1615,17 +1615,18 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
        pr_debug("%s: flags=%x event_f_flags=%x\n",
                 __func__, flags, event_f_flags);
 
-       if (!capable(CAP_SYS_ADMIN)) {
-               /*
-                * An unprivileged user can setup an fanotify group with
-                * limited functionality - an unprivileged group is limited to
-                * notification events with file handles or mount ids and it
-                * cannot use unlimited queue/marks.
-                */
-               if ((flags & FANOTIFY_ADMIN_INIT_FLAGS) ||
-                   !(flags & (FANOTIFY_FID_BITS | FAN_REPORT_MNT)))
-                       return -EPERM;
+       /*
+        * An unprivileged user can setup an fanotify group with limited
+        * functionality - an unprivileged group is limited to notification
+        * events with file handles or mount ids and it cannot use unlimited
+        * queue/marks.
+        */
+       if (((flags & FANOTIFY_ADMIN_INIT_FLAGS) ||
+            !(flags & (FANOTIFY_FID_BITS | FAN_REPORT_MNT))) &&
+           !capable(CAP_SYS_ADMIN))
+               return -EPERM;
 
+       if (!ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
                /*
                 * Setting the internal flag FANOTIFY_UNPRIV on the group
                 * prevents setting mount/filesystem marks on this group and
@@ -1990,8 +1991,8 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
         * A user is allowed to setup sb/mount/mntns marks only if it is
         * capable in the user ns where the group was created.
         */
-       if (!ns_capable(group->user_ns, CAP_SYS_ADMIN) &&
-           mark_type != FAN_MARK_INODE)
+       if (mark_type != FAN_MARK_INODE &&
+           !ns_capable(group->user_ns, CAP_SYS_ADMIN))
                return -EPERM;
 
        /*