From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751601AbcFFJvr (ORCPT ); Mon, 6 Jun 2016 05:51:47 -0400 Received: from [65.99.196.166] ([65.99.196.166]:34002 "EHLO namei.org" rhost-flags-FAIL-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1750927AbcFFJvp (ORCPT ); Mon, 6 Jun 2016 05:51:45 -0400 Date: Mon, 6 Jun 2016 19:51:42 +1000 (AEST) From: James Morris To: Tyler Hicks cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH RESEND 2/2] net: Use ns_capable_noaudit() when determining net sysctl permissions In-Reply-To: <1464929002-6624-3-git-send-email-tyhicks@canonical.com> Message-ID: References: <1464929002-6624-1-git-send-email-tyhicks@canonical.com> <1464929002-6624-3-git-send-email-tyhicks@canonical.com> User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2 Jun 2016, Tyler Hicks wrote: > The capability check should not be audited since it is only being used > to determine the inode permissions. A failed check does not indicate a > violation of security policy but, when an LSM is enabled, a denial audit > message was being generated. > > The denial audit message caused confusion for some application authors > because root-running Go applications always triggered the denial. To > prevent this confusion, the capability check in net_ctl_permissions() is > switched to the noaudit variant. > > BugLink: https://launchpad.net/bugs/1465724 > > Signed-off-by: Tyler Hicks > Acked-by: Serge E. Hallyn Both applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next -- James Morris