timerfd: Reject ALARM timerfds without CAP_WAKE_ALARM

timerfd gives processes a way to set wake alarms, but unlike timers made using
timer_create, timerfds don't check whether the process has CAP_WAKE_ALARM
before setting alarm-time timers. CAP_WAKE_ALARM is supposed to gate this
behavior and so it makes sense that we should deny permission to create such
timerfds if the process doesn't have this capability.

Signed-off-by: Eric Caruso <ejcaruso@google.com>
Cc: Todd Poynor <toddpoynor@google.com>
Link: http://lkml.kernel.org/r/1465427339-96209-1-git-send-email-ejcaruso@chromium.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

diff --git a/fs/timerfd.c b/fs/timerfd.c
index 053818dd6c18be8f228e1c40483e50d78aa78007..9ae4abb4110b84ef286facc88e66be9d954a021d 100644 (file)
--- a/fs/timerfd.c
+++ b/fs/timerfd.c
@@ -390,6 +390,11 @@ SYSCALL_DEFINE2(timerfd_create, int, clockid, int, flags)
             clockid != CLOCK_BOOTTIME_ALARM))
                return -EINVAL;
 
+       if (!capable(CAP_WAKE_ALARM) &&
+           (clockid == CLOCK_REALTIME_ALARM ||
+            clockid == CLOCK_BOOTTIME_ALARM))
+               return -EPERM;
+
        ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
        if (!ctx)
                return -ENOMEM;
@@ -433,6 +438,11 @@ static int do_timerfd_settime(int ufd, int flags,
                return ret;
        ctx = f.file->private_data;
 
+       if (!capable(CAP_WAKE_ALARM) && isalarm(ctx)) {
+               fdput(f);
+               return -EPERM;
+       }
+
        timerfd_setup_cancel(ctx, flags);
 
        /*