On Wed, Sep 2, 2020 at 7:18 AM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > sched_setattr(2) does via kernel/sched/core.c:__sched_setscheduler() > issue a CAP_SYS_NICE audit unconditionally, even when the requested > operation does not require that capability. > > Use an unaudited check first and perform an additional audited check > only on an actual permission denial. Could we just delay calling capable() until we know we need it? Also, this patch will need to go to the scheduler maintainers not just selinux list. Might want to also copy linux-security-module list since it is relevant to all security modules that implement the capable hook.
