Commit 9d3a39a5 authored Aug 24, 2020 by Khazhismel Kumykov Committed by Jens Axboe Sep 01, 2020

block: grant IOPRIO_CLASS_RT to CAP_SYS_NICE



CAP_SYS_ADMIN is too broad, and ionice fits into CAP_SYS_NICE's grouping.

Retain CAP_SYS_ADMIN permission for backwards compatibility.

Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent a7863b34

block/ioprio.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -69,7 +69,7 @@ int ioprio_check_cap(int ioprio)

		switch (class) {
		case IOPRIO_CLASS_RT:
		if (!capable(CAP_SYS_ADMIN))
		if (!capable(CAP_SYS_NICE) && !capable(CAP_SYS_ADMIN))
		return -EPERM;
		fallthrough;
		/* rt has prio field too */

include/uapi/linux/capability.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -288,6 +288,8 @@ struct vfs_ns_cap_data {
		processes and setting the scheduling algorithm used by another
		process. */
		/* Allow setting cpu affinity on other processes */
		/* Allow setting realtime ioprio class */
		/* Allow setting ioprio class on other processes */

		#define CAP_SYS_NICE 23