On Fri, 2008-11-14 at 09:55 +0200, Artem Bityutskiy wrote: > Eric Paris wrote: > > ext[2,3,4], ufs, and ubifs all check for CAP_SYS_RESOURCE to determine > > if they should allow reserved blocks to be used. A process not having > > this capability is not failing some security decision and should not be > > audited. Thus move to using has_capability_noaudit. > > > > Signed-off-by: Eric Paris <eparis@xxxxxxxxxx> > > --- > > UBIFS part looks OK, as long as the whole idea of the patch is right, which > I have not checked, but assume it is. > > The only question is are you sure exporting 'cap_capable()' is relevant > to this patch? You do not seem to call it directly. After this change, modules call has_capability_noaudit() which is a #define which turns this into modules calling security_capable_noaudit(). You noticed this and decided it was correct to make that export. But when CONFIG_SECURITY is not set security_capable_notaudit() is a static inline which calls cap_capable(). See include/linux/security.h line 2832 in the linux-next tree. Now modules are calling cap_capable directly, thus the export. -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
