Bugzilla – Bug 1217915
AUDIT-WHITELIST: gamemode: new polkit actions and rule
Last modified: 2024-03-13 09:22:13 UTC
For my package found in OBS in games:tools:gamemode I would like a whitelisting for the following rpmlint errors: gamemoded.x86_64: E: polkit-untracked-privilege (Badness: 10) com.feralinteractive.GameMode.cpu-helper (no:no:no) gamemoded.x86_64: E: polkit-untracked-privilege (Badness: 10) com.feralinteractive.GameMode.procsys-helper (no:no:no) gamemoded.x86_64: E: polkit-file-unauthorized (Badness: 10) /usr/share/polkit-1/rules.d/gamemode.rules (sha256 file digest default filter:fe5626c22b5599331e5db91a1f983e03d763424c0fc68a0ce0729e0290d12fed shell filter:fe5626c22b5599331e5db91a1f983e03d763424c0fc68a0ce0729e0290d12fed xml filter:<failed-to-calculate>) The cpu-helper is required for upstream's new CPU core pinning and parking capability. The procsys-helper is required for upstream's new feature to allow disabling the Linux kernel split lock mitigation. The new rule file is introduced as any functionality requiring privileges is now no longer available to any user with an active session but only to those that are members of the gamemode group. This is in line with upstream that also changed the default configuration here.
Thank you for opening this bug report. We will schedule it in our team shortly.
Thank you for opening the review bug. The new helpers are small and look fine on first sight. We will schedule a full review and report back.
I will work on this.
Just a quick note on the packaging: you will need to rename the "gamemode.rules" file, because currently the 50-default.rules from polkit-default-privs takes precedence and will override the rules from your package. You should name it something like 40-gamemode.rules for them to become effective.
Thanks, Matthias. I had already been wondering what I was doing wrong.
I'm done with the review. The helpers are written in a simple, somewhat old school style, but also in a very defensive style. Nothing to complain about. cpu-helper will allow to turn off arbitrary CPUs which is a pretty strong capability in terms of DoSsing a system. Since it is opt in only for members of the gamemode group I guess it's okay. The procsys-helper is also heavy stuff, it allows to disable the `split_lock_mitigate` in /proc/sys/kernel. This allows, as the kernel docs says, "bad applications" to run with better performance, while opening up quite a local DoS vector against all "good applications". Likely some games qualify as such "bad applications" which makes this necessary in gamemode. Here I see it similarly as above for the cpu-helper. It's limited to explicit members of "gamemode" so I am fine with it. Once you have the newly named rules file in the package I will start the whitelisting process.
Thanks, Matthias. I have updated the rules file in games:tools:gamemode. I sadly only forgot to tag the bug in the commit so it didn't show up in here.
No problem, I already saw it. The whitelisting process has already been started.
This is an autogenerated message for OBS integration: This bug (1217915) was mentioned in https://build.opensuse.org/request/show/1133150 Factory / rpmlint
The whitelisting is available by now in Factory. Closing as fixed.