On Sun, Mar 02, 2025 at 05:06:47PM +0100, Christian Göttsche wrote: > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > capable() calls refer to enabled LSMs whether to permit or deny the > request. This is relevant in connection with SELinux, where a > capability check results in a policy decision and by default a denial > message on insufficient permission is issued. > It can lead to three undesired cases: > 1. A denial message is generated, even in case the operation was an > unprivileged one and thus the syscall succeeded, creating noise. > 2. To avoid the noise from 1. the policy writer adds a rule to ignore > those denial messages, hiding future syscalls, where the task > performs an actual privileged operation, leading to hidden limited > functionality of that task. > 3. To avoid the noise from 1. the policy writer adds a rule to permit > the task the requested capability, while it does not need it, > violating the principle of least privilege. > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > Reviewed-by: Serge Hallyn <serge@xxxxxxxxxx> > --- > drivers/infiniband/hw/mlx5/devx.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) Thanks, applied. https://web.git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git/commit/?h=wip/leon-for-next&id=3745242ad1e1c07d5990b33764529eb13565db44
