Re: [RFC PATCH 1/4] capabily: Add new capable_noaudit

From: Serge E. Hallyn

Date: Mon Jun 29 2026 - 10:13:18 EST


On Mon, Jun 29, 2026 at 02:29:39PM +0200, Christoph Hellwig wrote:
> On Fri, Jun 26, 2026 at 01:45:20PM +0200, cem@xxxxxxxxxx wrote:
> > +extern bool capable_noaudit(int cap);
>
> No need for the extern.
>
> Otherwise this does look nice an clean to me:
>
> Reviewed-by: Christoph Hellwig <hch@xxxxxx>
>
> But if the security folks don't like we can live with the more
> verbose version of it I guess.

Honestly I'm ok either way. If people misunderstand the shortcut,
and ove-ruse it, that's safer than the other way. The one that
scare me more is ns_capable(&current_user_ns, X). I need to do an
audit of the current users of that.

So I'm happy to put

Reviewed-by: Serge Hallyn <serge@xxxxxxxxxx>

on the set.