From f3ad68446455acbe562e0057931e6256b8b991e8 Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Mon, 22 Jul 2019 11:59:00 +0200
Subject: executor: drop CAP_SYS_NICE

A process with CAP_SYS_NICE can bring kernel down by asking for too high SCHED_DEADLINE priority,
as the result rcu and other system services that use kernel threads will stop functioning.
Some parameters for SCHED_DEADLINE should be OK, but we don't have means to enforce
values of indirect syscall arguments. Peter Zijlstra proposed sysctl_deadline_period_{min,max}
which could be used to enfore safe limits without droppping CAP_SYS_NICE, but we don't have it yet.
See the following bug for details:
https://groups.google.com/forum/#!topic/syzkaller-bugs/G6Wl_PKPIWI
---
 sys/linux/test/caps | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'sys/linux/test')

diff --git a/sys/linux/test/caps b/sys/linux/test/caps
index f3ef3a9e0..6f580210e 100644
--- a/sys/linux/test/caps
+++ b/sys/linux/test/caps
@@ -3,3 +3,6 @@
 # requires: -sandbox=
 
 ptrace(0x10, 0x1)	# EPERM
+sched_setattr(0x0, &AUTO={AUTO, 0x6, 0x0, 0x0, 0x0, 0x8000000009917, 0x400000000000fffd, 0x0}, 0x0)	# EPERM
+sched_setattr(0x0, &AUTO={AUTO, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0}, 0x0)	# EPERM
+sched_setattr(0x0, &AUTO={AUTO, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0}, 0x0)
-- 
cgit mrf-deployment