Hi Linus,
/* Summary */
This is a single patch to remove auditing of the
capability check in simple_xattr_list(). This check is done to check
whether trusted xattrs should be included by listxattr(2). SELinux will
normally log a denial when capable() is called and the task's SELinux
context doesn't have the corresponding capability permission allowed,
which can end up spamming the log. Since a failed check here cannot be
used to infer malicious intent, auditing is of no real value, and it
makes sense to stop auditing the capability check.
/* Testing */
The patch is based off of 6.1-rc4 and has been sitting in linux-next. No
build failures or warnings were observed and fstests, selftests, and LTP
show no regressions.
/* Conflicts */
At the time of creating this PR no merge conflicts were reported from
linux-next. A test merge with current mainline also showed no conflicts.
The following changes since commit f0c4d9fc9cc9462659728d168387191387e903cc:
Linux 6.1-rc4 (2022-11-06 15:07:11 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping.git tags/fs.xattr.simple.noaudit.v6.2
for you to fetch changes up to e7eda157c4071cd1e69f4b1687b0fbe1ae5e6f46:
fs: don't audit the capability check in simple_xattr_list() (2022-11-07 16:55:45 +0100)
Please consider pulling these changes from the signed
fs.xattr.simple.noaudit.v6.2.
Thanks!
Seth
----------------------------------------------------------------
fs.xattr.simple.noaudit.v6.2
----------------------------------------------------------------
Ondrej Mosnacek (1):
fs: don't audit the capability check in simple_xattr_list()
fs/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
