summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2022-12-12 20:29:45 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>2022-12-12 20:29:45 -0800
commit07d7a4d6961a221af7023d08c89da8ed12fa7dda (patch)
tree4af640e6201ee6bc30c84148dc287a4d10ffe891
parent6e8948a0630f9ee46cf03dbf65949c1f4b6f6dd2 (diff)
parente7eda157c4071cd1e69f4b1687b0fbe1ae5e6f46 (diff)
Merge tag 'fs.xattr.simple.noaudit.v6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping
Pull xattr audit fix from Seth Forshee: "This is a single patch to remove auditing of the capability check in simple_xattr_list(). This check is done to check whether trusted xattrs should be included by listxattr(2). SELinux will normally log a denial when capable() is called and the task's SELinux context doesn't have the corresponding capability permission allowed, which can end up spamming the log. Since a failed check here cannot be used to infer malicious intent, auditing is of no real value, and it makes sense to stop auditing the capability check" * tag 'fs.xattr.simple.noaudit.v6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping: fs: don't audit the capability check in simple_xattr_list()
-rw-r--r--fs/xattr.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/xattr.c b/fs/xattr.c
index 3641a0ce5380..86668d2ce268 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -1158,7 +1158,7 @@ static int xattr_list_one(char **buffer, ssize_t *remaining_size,
ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs,
char *buffer, size_t size)
{
- bool trusted = capable(CAP_SYS_ADMIN);
+ bool trusted = ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
struct simple_xattr *xattr;
ssize_t remaining_size = size;
int err = 0;