[PATCH 01/10] capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY
Paul Moore
paul at paul-moore.com
Mon Jun 10 20:56:35 UTC 2024
On Fri, Mar 15, 2024 at 7:38 AM Christian Göttsche
<cgzones at googlemail.com> wrote:
>
> Introduce a new capable flag, CAP_OPT_NOAUDIT_ONDENY, to not generate
> an audit event if the requested capability is not granted. This will be
> used in a new capable_any() functionality to reduce the number of
> necessary capable calls.
>
> Handle the flag accordingly in AppArmor and SELinux.
>
> CC: linux-block at vger.kernel.org
> Suggested-by: Paul Moore <paul at paul-moore.com>
> Signed-off-by: Christian Göttsche <cgzones at googlemail.com>
> ---
> v5:
> rename flag to CAP_OPT_NOAUDIT_ONDENY, suggested by Serge:
> https://lore.kernel.org/all/20230606190013.GA640488@mail.hallyn.com/
> ---
> include/linux/security.h | 2 ++
> security/apparmor/capability.c | 8 +++++---
> security/selinux/hooks.c | 14 ++++++++------
> 3 files changed, 15 insertions(+), 9 deletions(-)
Acked-by: Paul Moore <paul at paul-moore.com>
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list