Bug 1217915

Summary: AUDIT-WHITELIST: gamemode: new polkit actions and rule
Product: [openSUSE] openSUSE Tumbleweed Reporter: Matthias Bach <marix>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: wolfgang.frisch
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Matthias Bach 2023-12-09 14:30:50 UTC 
For my package found in OBS in games:tools:gamemode I would like a whitelisting for the following rpmlint errors:

gamemoded.x86_64: E: polkit-untracked-privilege (Badness: 10) com.feralinteractive.GameMode.cpu-helper (no:no:no)

gamemoded.x86_64: E: polkit-untracked-privilege (Badness: 10) com.feralinteractive.GameMode.procsys-helper (no:no:no)

gamemoded.x86_64: E: polkit-file-unauthorized (Badness: 10) /usr/share/polkit-1/rules.d/gamemode.rules (sha256 file digest default filter:fe5626c22b5599331e5db91a1f983e03d763424c0fc68a0ce0729e0290d12fed shell filter:fe5626c22b5599331e5db91a1f983e03d763424c0fc68a0ce0729e0290d12fed xml filter:&lt;failed-to-calculate&gt;)

The cpu-helper is required for upstream's new CPU core pinning and parking capability.
The procsys-helper is required for upstream's new feature to allow disabling the Linux kernel split lock mitigation.
The new rule file is introduced as any functionality requiring privileges is now no longer available to any user with an active session but only to those that are members of the gamemode group. This is in line with upstream that also changed the default configuration here.
Comment 1 Wolfgang Frisch 2023-12-11 10:29:21 UTC 
Thank you for opening this bug report.
We will schedule it in our team shortly.
Comment 2 Matthias Gerstner 2023-12-11 11:06:44 UTC 
Thank you for opening the review bug.

The new helpers are small and look fine on first sight. We will schedule a
full review and report back.
Comment 3 Matthias Gerstner 2023-12-13 10:21:53 UTC 
I will work on this.
Comment 4 Matthias Gerstner 2023-12-13 10:56:22 UTC 
Just a quick note on the packaging: you will need to rename the
"gamemode.rules" file, because currently the 50-default.rules from
polkit-default-privs takes precedence and will override the rules from your
package.

You should name it something like 40-gamemode.rules for them to become
effective.
Comment 5 Matthias Bach 2023-12-13 11:49:38 UTC 
Thanks, Matthias. I had already been wondering what I was doing wrong.
Comment 6 Matthias Gerstner 2023-12-13 12:47:25 UTC 
I'm done with the review. The helpers are written in a simple, somewhat old
school style, but also in a very defensive style. Nothing to complain about.

cpu-helper will allow to turn off arbitrary CPUs which is a pretty strong
capability in terms of DoSsing a system. Since it is opt in only for members
of the gamemode group I guess it's okay.

The procsys-helper is also heavy stuff, it allows to disable the
`split_lock_mitigate` in /proc/sys/kernel. This allows, as the kernel docs
says, "bad applications" to run with better performance, while opening up
quite a local DoS vector against all "good applications". Likely some games
qualify as such "bad applications" which makes this necessary in gamemode.
Here I see it similarly as above for the cpu-helper. It's limited to explicit
members of "gamemode" so I am fine with it.

Once you have the newly named rules file in the package I will start the
whitelisting process.
Comment 7 Matthias Bach 2023-12-13 13:08:55 UTC 
Thanks, Matthias.

I have updated the rules file in  games:tools:gamemode. I sadly only forgot to tag the bug in the commit so it didn't show up in here.
Comment 8 Matthias Gerstner 2023-12-13 14:05:25 UTC 
No problem, I already saw it. The whitelisting process has already been
started.
Comment 9 OBSbugzilla Bot 2023-12-14 17:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1217915) was mentioned in
https://build.opensuse.org/request/show/1133150 Factory / rpmlint
Comment 10 Matthias Gerstner 2023-12-20 14:01:29 UTC 
The whitelisting is available by now in Factory. Closing as fixed.