Commit 654e3d27 authored May 11, 2023 by Christian Göttsche Committed by Greg Kroah-Hartman Sep 19, 2023

security: keys: perform capable check only on privileged operations



[ Upstream commit 2d7f105e ]

If the current task fails the check for the queried capability via
`capable(CAP_SYS_ADMIN)` LSMs like SELinux generate a denial message.
Issuing such denial messages unnecessarily can lead to a policy author
granting more privileges to a subject than needed to silence them.

Reorder CAP_SYS_ADMIN checks after the check whether the operation is
actually privileged.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent b23cbd3c

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit b9ea98aa
· Nov 05, 2025

mentioned in commit b9ea98aa

mentioned in commit b9ea98aa2fd47cd8af31bb674d2de84d09251e09

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit b9ea98aa
· Nov 05, 2025

mentioned in commit b9ea98aa

mentioned in commit b9ea98aa2fd47cd8af31bb674d2de84d09251e09

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit b9ea98aa
· Nov 05, 2025

mentioned in commit b9ea98aa

mentioned in commit b9ea98aa2fd47cd8af31bb674d2de84d09251e09

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 1289e04b
· Nov 05, 2025

mentioned in commit 1289e04b

mentioned in commit 1289e04b48137d20780f8beb67ad17dc4898a27b

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 1289e04b
· Nov 05, 2025

mentioned in commit 1289e04b

mentioned in commit 1289e04b48137d20780f8beb67ad17dc4898a27b

Toggle commit list

Please to comment