Add the interfaces `capable_any()` and `ns_capable_any()` as an alternative to multiple `capable()`/`ns_capable()` calls, like `capable_any(CAP_SYS_NICE, CAP_SYS_ADMIN)` instead of `capable(CAP_SYS_NICE) || capable(CAP_SYS_ADMIN)`. `capable_any()`/`ns_capable_any()` will in particular generate exactly one audit message, either for the left most capability in effect or, if the task has none, the first one. This is especially helpful with regard to SELinux, where each audit message about a not allowed capability request will create a denial message. Using this new wrapper with the least invasive capability as left most argument (e.g. CAP_SYS_NICE before CAP_SYS_ADMIN) enables policy writers to only grant the least invasive one for the particular subject instead of both. v3 discussion: https://patchwork.kernel.org/project/selinux/patch/20220615152623.311223-8-cgzones@xxxxxxxxxxxxxx/ v4: - add CAP_OPT_NODENYAUDIT capable flag Christian Göttsche (9): capability: introduce new capable flag NODENYAUDIT capability: add any wrapper to test for multiple caps with exactly one audit message capability: use new capable_any functionality block: use new capable_any functionality drivers: use new capable_any functionality fs: use new capable_any functionality kernel: use new capable_any functionality bpf: use new capable_any functionality net: use new capable_any functionality block/ioprio.c | 9 +-- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +- drivers/net/caif/caif_serial.c | 2 +- drivers/s390/block/dasd_eckd.c | 2 +- fs/pipe.c | 2 +- include/linux/capability.h | 17 ++++-- include/linux/security.h | 2 + include/net/sock.h | 1 + kernel/bpf/syscall.c | 2 +- kernel/capability.c | 70 ++++++++++++++++++++++++ kernel/fork.c | 2 +- net/caif/caif_socket.c | 2 +- net/core/sock.c | 18 +++--- net/ieee802154/socket.c | 6 +- net/ipv4/ip_sockglue.c | 4 +- net/ipv6/ipv6_sockglue.c | 3 +- net/unix/scm.c | 2 +- security/apparmor/capability.c | 8 ++- security/selinux/hooks.c | 14 +++-- 19 files changed, 123 insertions(+), 46 deletions(-) -- 2.40.1
