[PATCH] io_uring: don't audit the capability check in io_uring_create()
Jens Axboe
axboe at kernel.dk
Tue Jul 18 20:16:42 UTC 2023
On Tue, 18 Jul 2023 13:56:07 +0200, Ondrej Mosnacek wrote:
> The check being unconditional may lead to unwanted denials reported by
> LSMs when a process has the capability granted by DAC, but denied by an
> LSM. In the case of SELinux such denials are a problem, since they can't
> be effectively filtered out via the policy and when not silenced, they
> produce noise that may hide a true problem or an attack.
>
> Since not having the capability merely means that the created io_uring
> context will be accounted against the current user's RLIMIT_MEMLOCK
> limit, we can disable auditing of denials for this check by using
> ns_capable_noaudit() instead of capable().
>
> [...]
Applied, thanks!
[1/1] io_uring: don't audit the capability check in io_uring_create()
commit: 6adc2272aaaf84f34b652cf77f770c6fcc4b8336
Best regards,
--
Jens Axboe
More information about the Linux-security-module-archive
mailing list