[PATCH 01/10] capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY

Paul Moore paul at paul-moore.com
Mon Jun 10 20:56:35 UTC 2024


On Fri, Mar 15, 2024 at 7:38 AM Christian Göttsche
<cgzones at googlemail.com> wrote:
>
> Introduce a new capable flag, CAP_OPT_NOAUDIT_ONDENY, to not generate
> an audit event if the requested capability is not granted.  This will be
> used in a new capable_any() functionality to reduce the number of
> necessary capable calls.
>
> Handle the flag accordingly in AppArmor and SELinux.
>
> CC: linux-block at vger.kernel.org
> Suggested-by: Paul Moore <paul at paul-moore.com>
> Signed-off-by: Christian Göttsche <cgzones at googlemail.com>
> ---
> v5:
>    rename flag to CAP_OPT_NOAUDIT_ONDENY, suggested by Serge:
>      https://lore.kernel.org/all/20230606190013.GA640488@mail.hallyn.com/
> ---
>  include/linux/security.h       |  2 ++
>  security/apparmor/capability.c |  8 +++++---
>  security/selinux/hooks.c       | 14 ++++++++------
>  3 files changed, 15 insertions(+), 9 deletions(-)

Acked-by: Paul Moore <paul at paul-moore.com>

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list