git.baikalelectronics.ru Git - kernel.git/commit

author	Darrick J. Wong <djwong@kernel.org>
	Sat, 26 Feb 2022 00:18:30 +0000 (16:18 -0800)
committer	Darrick J. Wong <djwong@kernel.org>
	Wed, 9 Mar 2022 18:32:06 +0000 (10:32 -0800)
commit	54219bd2301c8d3b8a316601122ddfdc4346f1a7
tree	1be2c9ccae0253dc7e6b184a309657abf2e48036	tree \| snapshot
parent	256eef9091b2054b98015b897967cca6d750c5d4	commit \| diff

xfs: don't generate selinux audit messages for capability testing

There are a few places where we test the current process' capability set
to decide if we're going to be more or less generous with resource
acquisition for a system call. If the process doesn't have the
capability, we can continue the call, albeit in a degraded mode.

These are /not/ the actual security decisions, so it's not proper to use
capable(), which (in certain selinux setups) causes audit messages to
get logged. Switch them to has_capability_noaudit.

Fixes: 7569b1d06520a ("xfs: refactor inode ownership change transaction/inode/quota allocation idiom")
Fixes: 9ce451af5e6a0 ("xfs: only return detailed fsmap info if the caller has CAP_SYS_ADMIN")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Cc: Dave Chinner <david@fromorbit.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>

fs/xfs/xfs_fsmap.c		diff \| blob \| history
fs/xfs/xfs_ioctl.c		diff \| blob \| history
fs/xfs/xfs_iops.c		diff \| blob \| history
kernel/capability.c		diff \| blob \| history