From 55e11a500f7817e8ff125ea9f06ead95e46e8651 Mon Sep 17 00:00:00 2001 From: John Kacur Date: Wed, 21 Feb 2024 16:00:54 -0500 Subject: [PATCH] Make fill_process_comm() open comm file as READ_ONLY Resolves: RHEL-25846 Signed-off-by: John Kacur --- ...ess_comm-open-comm-file-as-READ_ONLY.patch | 34 +++++++++++++++++++ stalld.spec | 11 ++++-- 2 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 Make-fill_process_comm-open-comm-file-as-READ_ONLY.patch diff --git a/Make-fill_process_comm-open-comm-file-as-READ_ONLY.patch b/Make-fill_process_comm-open-comm-file-as-READ_ONLY.patch new file mode 100644 index 0000000..20817a3 --- /dev/null +++ b/Make-fill_process_comm-open-comm-file-as-READ_ONLY.patch @@ -0,0 +1,34 @@ +From f9c0ade7cd9a514d4ca6f81f797284e11c56b31a Mon Sep 17 00:00:00 2001 +From: Chris White +Date: Wed, 21 Feb 2024 15:22:44 -0500 +Subject: [PATCH] Make fill_process_comm() open comm file as READ_ONLY + +The fill_process_comm() opens the comm file using O_RDWR. The +function itself does not perform a write operation on the file, +and opening this in read and write mode can cause selinux policy +violations where opening the file with write permission is +restricted. Since the function itself only needs to read from this +fd, changing this to READ_ONLY (O_RDONLY) + +Signed-off-by: Chris White +Signed-off-by: John Kacur +--- + src/utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/utils.c b/src/utils.c +index f6feca7040d8..898f4a5d06a7 100644 +--- a/src/utils.c ++++ b/src/utils.c +@@ -55,7 +55,7 @@ int fill_process_comm(int tgid, int pid, char *comm, int comm_size) + if (retval < 0) + goto out_error; + +- fd = open(path, O_RDWR); ++ fd = open(path, O_RDONLY); + if (fd < 0) { + log_msg("failed to open comm file at %s\n", path); + goto out_error; +-- +2.43.0 + diff --git a/stalld.spec b/stalld.spec index 88ea9ea..b046e7e 100644 --- a/stalld.spec +++ b/stalld.spec @@ -1,6 +1,6 @@ Name: stalld Version: 1.19.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Daemon that finds starving tasks and gives them a temporary boost License: GPLv2 @@ -22,6 +22,9 @@ BuildRequires: libbpf-devel Requires: libbpf %endif +# Patches +Patch1: Make-fill_process_comm-open-comm-file-as-READ_ONLY.patch + %description The stalld program monitors the set of system threads, looking for threads that are ready-to-run but have not @@ -31,7 +34,7 @@ boost using the SCHED_DEADLINE policy. The default is to allow 10 microseconds of runtime for 1 second of clock time. %prep -%autosetup +%autosetup -p1 %build %make_build CFLAGS="%{optflags} %{build_cflags} -DVERSION="\\\"%{version}\\\""" LDFLAGS="%{build_ldflags}" @@ -59,6 +62,10 @@ allow 10 microseconds of runtime for 1 second of clock time. %systemd_postun_with_restart %{name}.service %changelog +* Wed Feb 21 2024 John Kacur - 1.19.1-2 +- Make fill_process_comm() open comm file as READ_ONLY +Resolves: RHEL-25846 + * Fri Feb 09 2024 John Kacur - 1.19.1-1 - Rebase to upstream stalld-1.19.1 Resolves: RHEL-7865