Re: [RFC PATCH 1/4] capabily: Add new capable_noaudit

From: Paul Moore

Date: Fri Jun 26 2026 - 11:36:05 EST


On Fri, Jun 26, 2026 at 7:49 AM <cem@xxxxxxxxxx> wrote:
>
> From: Carlos Maiolino <cem@xxxxxxxxxx>
>
> In some situations (quota enforcement bypass in this case) we'd like to
> check for a specific capability without triggering spurious audit
> messages from security modules like selinux.
>
> Add a new helper so we don't need to use ns_capable_noaudit() directly.
>
> Signed-off-by: Carlos Maiolino <cmaiolino@xxxxxxxxxx>
> ---
> include/linux/capability.h | 5 +++++
> kernel/capability.c | 17 +++++++++++++++++
> 2 files changed, 22 insertions(+)

This is Serge's call, not mine, but FWIW, I somewhat prefer to see
code use the ns_capable_XXX() variants directly as I like to think it
means some thought went into ensuring the capability check is being
done in the right namespace. Yes, we all know that capable() just
uses the init namespace, but I like to think that having to type that
out in the parameter list might be a good double check ;)

--
paul-moore.com