timerfd: Reject ALARM timerfds without CAP_WAKE_ALARM

commit 2895a5e5b3ae78d9923a91fce405d4a2f32c4309 upstream.

timerfd gives processes a way to set wake alarms, but unlike timers made using
timer_create, timerfds don't check whether the process has CAP_WAKE_ALARM
before setting alarm-time timers. CAP_WAKE_ALARM is supposed to gate this
behavior and so it makes sense that we should deny permission to create such
timerfds if the process doesn't have this capability.

Signed-off-by: Eric Caruso <ejcaruso@google.com>
Cc: Todd Poynor <toddpoynor@google.com>
Link: http://lkml.kernel.org/r/1465427339-96209-1-git-send-email-ejcaruso@chromium.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Kasper Zwijsen <Kasper.Zwijsen@UGent.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/timerfd.c b/fs/timerfd.c
index 1327a02ec77845f792aaac2649eb65ab3f0dc439..ab8dd153838174f3d2fbe1b7a31e98401429fd00 100644 (file)
--- a/fs/timerfd.c
+++ b/fs/timerfd.c
@@ -400,6 +400,11 @@ SYSCALL_DEFINE2(timerfd_create, int, clockid, int, flags)
             clockid != CLOCK_BOOTTIME_ALARM))
                return -EINVAL;
 
+       if (!capable(CAP_WAKE_ALARM) &&
+           (clockid == CLOCK_REALTIME_ALARM ||
+            clockid == CLOCK_BOOTTIME_ALARM))
+               return -EPERM;
+
        ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
        if (!ctx)
                return -ENOMEM;
@@ -444,6 +449,11 @@ static int do_timerfd_settime(int ufd, int flags,
                return ret;
        ctx = f.file->private_data;
 
+       if (!capable(CAP_WAKE_ALARM) && isalarm(ctx)) {
+               fdput(f);
+               return -EPERM;
+       }
+
        timerfd_setup_cancel(ctx, flags);
 
        /*