Re: [PATCH 5.10 130/154] block: Check ADMIN before NICE for IOPRIO_CLASS_RT

Greg Kroah-Hartman wrote:

From: Alistair Delva adelva@google.com

commit 94c4b4fd25e6c3763941bdec3ad54f2204afa992 upstream.

[SNIP]

--- a/block/ioprio.c +++ b/block/ioprio.c @@ -69,7 +69,14 @@ int ioprio_check_cap(int ioprio)

    switch (class) {
            case IOPRIO_CLASS_RT:

•                   if (!capable(CAP_SYS_NICE) && !capable(CAP_SYS_ADMIN))
  

•                   /*
  

•                    * Originally this only checked for CAP_SYS_ADMIN,
  

•                    * which was implicitly allowed for pid 0 by security
  

•                    * modules such as SELinux. Make sure we check
  

•                    * CAP_SYS_ADMIN first to avoid a denial/avc for
  

•                    * possibly missing CAP_SYS_NICE permission.
  

•                    */
  

•                   if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_NICE))
                            return -EPERM;
                    fallthrough;
                    /* rt has prio field too */
  

What exactly is above patch trying to fix? It does not change control flow at all, and added comment is misleading.