• Eric Paris's avatar
    Add a new capable interface that will be used by systems that use audit to · 06112163
    Eric Paris authored
    make an A or B type decision instead of a security decision.  Currently
    this is the case at least for filesystems when deciding if a process can use
    the reserved 'root' blocks and for the case of things like the oom
    algorithm determining if processes are root processes and should be less
    likely to be killed.  These types of security system requests should not be
    audited or logged since they are not really security decisions.  It would be
    possible to solve this problem like the vm_enough_memory security check did
    by creating a new LSM interface and moving all of the policy into that
    interface but proves the needlessly bloat the LSM and provide complex
    indirection.
    
    This merely allows those decisions to be made where they belong and to not
    flood logs or printk with denials for thing that are not security decisions.
    Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    06112163
commoncap.c 18.8 KB