Add the interfaces `capable_any()` and `ns_capable_any()` as an alternative to multiple `capable()`/`ns_capable()` calls, like `capable_any(CAP_SYS_NICE, CAP_SYS_ADMIN)` instead of `capable(CAP_SYS_NICE) || capable(CAP_SYS_ADMIN)`. `capable_any()`/`ns_capable_any()` will in particular generate exactly one audit message, either for the left most capability in effect or, if the task has none, the first one. This is especially helpful with regard to SELinux, where each audit message about a not allowed capability request will create a denial message. Using this new wrapper with the least invasive capability as left most argument (e.g. CAP_SYS_NICE before CAP_SYS_ADMIN) enables policy writers to only grant the least invasive one for the particular subject instead of both. v4 discussion: https://lore.kernel.org/all/20230511142535.732324-10-cgzones@xxxxxxxxxxxxxx/ v3 discussion: https://patchwork.kernel.org/project/selinux/patch/20220615152623.311223-8-cgzones@xxxxxxxxxxxxxx/ v5: - rename flag to CAP_OPT_NOAUDIT_ONDENY and internal helper to ns_capable_noauditondeny() - add check for identical capabilities passed to simplify bpf call sites - make use in bpf code - add coccinelle script v4: - add CAP_OPT_NODENYAUDIT capable flag Christian Göttsche (10): capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY capability: add any wrappers to test for multiple caps with exactly one audit message capability: use new capable_any functionality block: use new capable_any functionality drivers: use new capable_any functionality fs: use new capable_any functionality kernel: use new capable_any functionality net: use new capable_any functionality bpf: use new capable_any functionality coccinelle: add script for capable_any() MAINTAINERS | 1 + block/ioprio.c | 9 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +- drivers/net/caif/caif_serial.c | 2 +- drivers/s390/block/dasd_eckd.c | 2 +- fs/pipe.c | 2 +- include/linux/bpf.h | 2 +- include/linux/capability.h | 17 ++- include/linux/security.h | 2 + include/net/sock.h | 1 + kernel/bpf/syscall.c | 2 +- kernel/bpf/token.c | 2 +- kernel/capability.c | 73 ++++++++++ kernel/fork.c | 2 +- net/caif/caif_socket.c | 2 +- net/core/sock.c | 15 ++- net/ieee802154/socket.c | 6 +- net/ipv4/ip_sockglue.c | 5 +- net/ipv6/ipv6_sockglue.c | 3 +- net/unix/af_unix.c | 2 +- scripts/coccinelle/api/capable_any.cocci | 164 +++++++++++++++++++++++ security/apparmor/capability.c | 8 +- security/selinux/hooks.c | 14 +- 23 files changed, 293 insertions(+), 46 deletions(-) create mode 100644 scripts/coccinelle/api/capable_any.cocci -- 2.43.0
