[apparmor] [PATCH 01/10] capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY

Introduce a new capable flag, CAP_OPT_NOAUDIT_ONDENY, to not generate an audit event if the requested capability is not granted. This will be used in a new capable_any() functionality to reduce the number of necessary capable calls. Handle the flag accordingly in AppArmor and SELinux. CC:

[apparmor] [PATCH 2/2] apparmor: fix typo in kernel doc

Fix the typo in the function documentation to please kernel doc warnings. Signed-off-by: Christian Göttsche --- security/apparmor/lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index cef8c466af80..d0485fb0ed63 100644

[PATCH 05/11] neighbour: constify ctl_table arguments of utility function

In a future commit the proc_handlers themselves will change to "const struct ctl_table". As a preparation for that adapt the internal helper. Signed-off-by: Thomas Weißschuh --- net/core/neighbour.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/neighbour.c

[PATCH 06/11] ipv4/sysctl: constify ctl_table arguments of utility functions

In a future commit the proc_handlers themselves will change to "const struct ctl_table". As a preparation for that adapt the internal helpers. Signed-off-by: Thomas Weißschuh --- net/ipv4/sysctl_net_ipv4.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git

[PATCH 10/11] sysctl: constify ctl_table arguments of utility function

In a future commit the proc_handlers themselves will change to "const struct ctl_table". As a preparation for that adapt the internal helper. Signed-off-by: Thomas Weißschuh --- include/linux/sysctl.h | 2 +- kernel/sysctl.c| 21 +++-- 2 files changed, 12 insertions(+),

[PATCH 09/11] ipvs: constify ctl_table arguments of utility functions

In a future commit the proc_handlers themselves will change to "const struct ctl_table". As a preparation for that adapt the internal helpers. Signed-off-by: Thomas Weißschuh --- net/netfilter/ipvs/ip_vs_ctl.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git

[PATCH 01/11] stackleak: don't modify ctl_table argument

In a future commit the proc_handlers will change to "const struct ctl_table". As a preparation for that adapt the logic to work with a temporary variable, similar to how it is done in other parts of the kernel. Fixes: 964c9dff0091 ("stackleak: Allow runtime disabling of kernel stack erasing")

[PATCH 00/11] sysctl: treewide: constify ctl_table argument of sysctl handlers

* Patch 1 is a bugfix for the stack_erasing sysctl handler * Patches 2-10 change various helper functions throughout the kernel to be able to handle 'const ctl_table'. * Patch 11 changes the signatures of all proc handlers through the tree. Some other signatures are also adapted, for details

[PATCH 03/11] hugetlb: constify ctl_table arguments of utility functions

In a future commit the proc_handlers themselves will change to "const struct ctl_table". As a preparation for that adapt the internal helpers. Signed-off-by: Thomas Weißschuh --- mm/hugetlb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c

[PATCH 02/11] cgroup: bpf: constify ctl_table arguments and fields

In a future commit the sysctl core will only use "const struct ctl_table". As a preparation for that adapt the cgroup-bpf code. Signed-off-by: Thomas Weißschuh --- include/linux/filter.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/filter.h

[PATCH 04/11] utsname: constify ctl_table arguments of utility function

In a future commit the proc_handlers themselves will change to "const struct ctl_table". As a preparation for that adapt the internal helper. Signed-off-by: Thomas Weißschuh --- kernel/utsname_sysctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/utsname_sysctl.c

[PATCH 07/11] ipv6/addrconf: constify ctl_table arguments of utility functions

In a future commit the proc_handlers themselves will change to "const struct ctl_table". As a preparation for that adapt the internal helpers. Signed-off-by: Thomas Weißschuh --- net/ipv6/addrconf.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ipv6/addrconf.c

[PATCH 11/11] sysctl: treewide: constify the ctl_table argument of handlers

Adapt the proc_hander function signature to make it clear that handlers are not supposed to modify their ctl_table argument. This is a prerequisite to moving the static ctl_table structs into .rodata. By migrating all handlers at once a lengthy transition can be avoided. The patch was mostly

[PATCH 08/11] ipv6/ndisc: constify ctl_table arguments of utility function

In a future commit the proc_handlers themselves will change to "const struct ctl_table". As a preparation for that adapt the internal helper. Signed-off-by: Thomas Weißschuh --- net/ipv6/ndisc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ndisc.c

Re: [PATCH 11/11] sysctl: treewide: constify the ctl_table argument of handlers

On Fri, Mar 15, 2024 at 09:48:09PM +0100, Thomas Weißschuh wrote: > Adapt the proc_hander function signature to make it clear that handlers > are not supposed to modify their ctl_table argument. > > This is a prerequisite to moving the static ctl_table structs into > .rodata. > By migrating all

Re: [apparmor] [PATCH 01/10] capability: introduce new capable flag CAP_OPT_NOAUDIT_ONDENY

On Fri, Mar 15, 2024 at 12:37:22PM +0100, Christian Göttsche wrote: > Introduce a new capable flag, CAP_OPT_NOAUDIT_ONDENY, to not generate > an audit event if the requested capability is not granted. This will be > used in a new capable_any() functionality to reduce the number of > necessary