io_uring: don't audit the capability check in io_uring_create()
stable inclusion from stable-v5.10.190 commit 22786d53817d1452f30373807f8202bb9bf43732 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I928UI Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=22786d53817d1452f30373807f8202bb9bf43732 -------------------------------- [ Upstream commit 6adc2272 ] The check being unconditional may lead to unwanted denials reported by LSMs when a process has the capability granted by DAC, but denied by an LSM. In the case of SELinux such denials are a problem, since they can't be effectively filtered out via the policy and when not silenced, they produce noise that may hide a true problem or an attack. Since not having the capability merely means that the created io_uring context will be accounted against the current user's RLIMIT_MEMLOCK limit, we can disable auditing of denials for this check by using ns_capable_noaudit() instead of capable(). Fixes: 2b188cc1 ("Add io_uring IO interface") Link: https://bugzilla.redhat.com/show_bug.cgi?id=2193317 Signed-off-by:Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by:
Loading
Please sign in to comment