On Wed, Sep 2, 2020 at 5:17 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Wed, Sep 2, 2020 at 7:18 AM Christian Göttsche > <cgzones@xxxxxxxxxxxxxx> wrote: > > > > sched_setattr(2) does via kernel/sched/core.c:__sched_setscheduler() > > issue a CAP_SYS_NICE audit unconditionally, even when the requested > > operation does not require that capability. > > > > Use an unaudited check first and perform an additional audited check > > only on an actual permission denial. > > Could we just delay calling capable() until we know we need it? Yes, please - because with this patch it could happen that an LSM policy changes between the ns_capable_noaudit() call and capable() call, such that the first one is denied and the second one allowed, in which case the operation would fail without being audited. -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.