On Fri, Mar 15, 2024 at 7:38 AM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Introduce a new capable flag, CAP_OPT_NOAUDIT_ONDENY, to not generate > an audit event if the requested capability is not granted. This will be > used in a new capable_any() functionality to reduce the number of > necessary capable calls. > > Handle the flag accordingly in AppArmor and SELinux. > > CC: linux-block@xxxxxxxxxxxxxxx > Suggested-by: Paul Moore <paul@xxxxxxxxxxxxxx> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > v5: > rename flag to CAP_OPT_NOAUDIT_ONDENY, suggested by Serge: > https://lore.kernel.org/all/20230606190013.GA640488@xxxxxxxxxxxxxxx/ > --- > include/linux/security.h | 2 ++ > security/apparmor/capability.c | 8 +++++--- > security/selinux/hooks.c | 14 ++++++++------ > 3 files changed, 15 insertions(+), 9 deletions(-) Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> -- paul-moore.com
