block: grant IOPRIO_CLASS_RT to CAP_SYS_NICE

CAP_SYS_ADMIN is too broad, and ionice fits into CAP_SYS_NICE's grouping. Retain CAP_SYS_ADMIN permission for backwards compatibility. Signed-off-by: Khazhismel Kumykov <khazhy@google.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Acked-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-08-24 15:10:34 -07:00 · 2020-08-24 15:10:34 -07:00 · 9d3a39a5f1
--- a/block/ioprio.c
+++ b/block/ioprio.c
@ -69,7 +69,7 @@ int ioprio_check_cap(int ioprio)

 	switch (class) {
 		case IOPRIO_CLASS_RT:
-			if (!capable(CAP_SYS_ADMIN))
+			if (!capable(CAP_SYS_NICE) && !capable(CAP_SYS_ADMIN))
 				return -EPERM;
 			fallthrough;
 			/* rt has prio field too */
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@ -288,6 +288,8 @@ struct vfs_ns_cap_data {
   processes and setting the scheduling algorithm used by another
   process. */
 /* Allow setting cpu affinity on other processes */
+/* Allow setting realtime ioprio class */
+/* Allow setting ioprio class on other processes */

 #define CAP_SYS_NICE         23