Quoting Kees Cook ([email protected]): > On Thu, Jul 14, 2016 at 9:09 AM, John Stultz <[email protected]> wrote: > > On Thu, Jul 14, 2016 at 5:48 AM, Serge E. Hallyn <[email protected]> wrote: > >> Quoting Kees Cook ([email protected]): > >>> I think the original CAP_SYS_NICE should be fine. A malicious > >>> CAP_SYS_NICE process can do plenty of insane things, I don't feel like > >>> the timer slack adds to any realistic risks. > >> > >> Can someone give a detailed explanation of what you could do with > >> the new timerslack feature and compare it to what you can do with > >> sys_nice? > > > > Looking at the man page for CAP_SYS_NICE, it looks like such a task > > can set a task as SCHED_FIFO, so they could fork some spinning > > processes and set them all SCHED_FIFO 99, in effect delaying all other > > tasks for an infinite amount of time. > > > > So one might argue setting large timerslack vlaues isn't that > > different risk wise? > > Right -- you can hose a system with CAP_SYS_NICE already; I don't > think timerslack realistically changes that.
Thanks - so it seems to me if we go with CAP_SYS_NICE we are giving those who can already hose the system another vector to doing so. But if we require CAP_SYS_PTRACE then we are giving those who can newly hose the system also the ability to subvert any task. It sounds like CAP_SYS_NICE is the winner. Kees, you said adding a capability is hard - can you expound on that?
