capability: introduce new capable flag NODENYAUDIT #5059
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
Introduce a new capable flag, CAP_OPT_NODENYAUDIT, to not generate an audit event if the requested capability is not granted. This will be used in a new capable_any() functionality to reduce the number of necessary capable calls. Handle the flag accordingly in AppArmor and SELinux. Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
…e audit message Add the interfaces `capable_any()` and `ns_capable_any()` as an alternative to multiple `capable()`/`ns_capable()` calls, like `capable_any(CAP_SYS_NICE, CAP_SYS_ADMIN)` instead of `capable(CAP_SYS_NICE) || capable(CAP_SYS_ADMIN)`. `capable_any()`/`ns_capable_any()` will in particular generate exactly one audit message, either for the left most capability in effect or, if the task has none, the first one. This is especially helpful with regard to SELinux, where each audit message about a not allowed capability request will create a denial message. Using this new wrapper with the least invasive capability as left most argument (e.g. CAP_SYS_NICE before CAP_SYS_ADMIN) enables policy writers to only grant the least invasive one for the particular subject instead of both. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Reorder CAP_SYS_ADMIN last. Fixes: 94c4b4f ("block: Check ADMIN before NICE for IOPRIO_CLASS_RT") Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Reorder CAP_SYS_ADMIN last. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Add sock_ns_capable_any() wrapper similar to existing sock_ns_capable() one. Reorder CAP_SYS_ADMIN last. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
Upstream branch: 6e61c5f |
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=746781 irrelevant now. Closing PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: capability: introduce new capable flag NODENYAUDIT
version: 4
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=746781