[PATCH v2 01/11] coccinelle: Add script to reorder capable() calls
Theodore Ts'o
tytso at mit.edu
Tue Mar 18 03:41:14 UTC 2025
On Sun, 02 Mar 2025 17:06:48 +0100, Christian Göttsche wrote:
> capable() calls refer to enabled LSMs whether to permit or deny the
> request. This is relevant in connection with SELinux, where a
> capability check results in a policy decision and by default a denial
> message on insufficient permission is issued.
> It can lead to three undesired cases:
> 1. A denial message is generated, even in case the operation was an
> unprivileged one and thus the syscall succeeded, creating noise.
> 2. To avoid the noise from 1. the policy writer adds a rule to ignore
> those denial messages, hiding future syscalls, where the task
> performs an actual privileged operation, leading to hidden limited
> functionality of that task.
> 3. To avoid the noise from 1. the policy writer adds a rule to permit
> the task the requested capability, while it does not need it,
> violating the principle of least privilege.
>
> [...]
Applied, thanks!
[03/11] ext4: reorder capability check last
commit: 26f5784d44c3f824c864245b506db809b51053cf
Best regards,
--
Theodore Ts'o <tytso at mit.edu>
More information about the Linux-security-module-archive
mailing list