The oomkiller calculations make decisions based on capabilities. Since

these are not security decisions and LSMs should not record if they fall the request they should use the new has_capability_noaudit() interface so the denials will not be recorded. Signed-off-by: N Eric Paris <eparis@redhat.com> Acked-by: N Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: N James Morris <jmorris@namei.org>

The oomkiller calculations make decisions based on capabilities. Since
these are not security decisions and LSMs should not record if they fall the request they should use the new has_capability_noaudit() interface so the denials will not be recorded. Signed-off-by: N Eric Paris <eparis@redhat.com> Acked-by: N Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: N James Morris <jmorris@namei.org>
a2f2945a · Eric Paris · James Morris · 06112163 · a2f2945a
隐藏空白更改
内联并排

Showing with 3 addition and 3 deletion

mm/oom_kill.c mm/oom_kill.c +3 -3

未找到文件。
--- a/mm/oom_kill.c
+++ b/mm/oom_kill.c
@@ -129,8 +129,8 @@ unsigned long badness(struct task_struct *p, unsigned long uptime)
 	 * Superuser processes are usually more important, so we make it
 	 * less likely that we kill those.
 	 */
-	if (has_capability(p, CAP_SYS_ADMIN) ||
-	    has_capability(p, CAP_SYS_RESOURCE))
+	if (has_capability_noaudit(p, CAP_SYS_ADMIN) ||
+	    has_capability_noaudit(p, CAP_SYS_RESOURCE))
 		points /= 4;

 	/*
@@ -139,7 +139,7 @@ unsigned long badness(struct task_struct *p, unsigned long uptime)
 	 * tend to only have this flag set on applications they think
 	 * of as important.
 	 */
-	if (has_capability(p, CAP_SYS_RAWIO))
+	if (has_capability_noaudit(p, CAP_SYS_RAWIO))
 		points /= 4;

 	/*