[RFC PATCH 0/4] Introduce capable_noaudit

Carlos Maiolino cem at kernel.org
Thu Jul 2 14:51:01 UTC 2026


On Thu, Jul 02, 2026 at 03:47:37PM +0200, Christian Brauner wrote:
> On 2026-07-02 10:35 +0200, Carlos Maiolino wrote:
> > On Thu, Jul 02, 2026 at 09:41:39AM +0200, Christian Brauner wrote:
> > > On 2026-06-26 13:45 +0200, cem at kernel.org wrote:
> > > > From: Carlos Maiolino <cem at kernel.org>
> > > > 
> > > > In some cases - filesystems quota specifically here - we'd like to check
> > > > for effective capabilities without issuing spurious audit messages and
> > > > without the need to specify a namespace for that.
> > > > 
> > > > This series introduce capable_noaudit() which has the same goal as
> > > > capable() but without firing audit messages.
> > > > 
> > > > Also, this updates both generic quota and xfs quota code to use that.
> > > > 
> > > > The last patch unexports has_capability_noaudit() which was originally
> > > > exported to be used in xfs but turns out it does not meet our needs.
> > > > 
> > > > Note this is based on top of a current series I have to remove
> > > > has_capability_noaudit() calls from xfs so the xfs patch won't
> > > > apply cleanly without that series.
> > > > 
> > > > If adding this helper is acceptable, I'll turn this into a non-rfc
> > > > series with the required changes to apply properly.
> > > > 
> > > > Comments? Flames?
> > > 
> > > Convert more, please.
> > > 
> > 
> > Convert what? :) more callers from capable() to capable_noaudit()?
> 
> Yes, there's more code that should use the noaudit variant. Future
> work...

/me writes to his todo list



More information about the Linux-security-module-archive mailing list