On Fri, Mar 15, 2024 at 7:38 AM Christian Göttsche <[email protected]> wrote: > > Introduce a new capable flag, CAP_OPT_NOAUDIT_ONDENY, to not generate > an audit event if the requested capability is not granted. This will be > used in a new capable_any() functionality to reduce the number of > necessary capable calls. > > Handle the flag accordingly in AppArmor and SELinux. > > CC: [email protected] > Suggested-by: Paul Moore <[email protected]> > Signed-off-by: Christian Göttsche <[email protected]> > --- > v5: > rename flag to CAP_OPT_NOAUDIT_ONDENY, suggested by Serge: > https://lore.kernel.org/all/[email protected]/ > --- > include/linux/security.h | 2 ++ > security/apparmor/capability.c | 8 +++++--- > security/selinux/hooks.c | 14 ++++++++------ > 3 files changed, 15 insertions(+), 9 deletions(-)
Acked-by: Paul Moore <[email protected]> -- paul-moore.com
