* [PATCH v3 0/5] Fix quota evasion on xfs and add capable_noaudit
@ 2026-07-02 9:33 cem
2026-07-02 9:33 ` [PATCH v3 1/5] xfs: fix capability check in xfs cem
` (4 more replies)
0 siblings, 5 replies; 14+ messages in thread
From: cem @ 2026-07-02 9:33 UTC (permalink / raw)
To: cem
Cc: Jan Kara, Christoph Hellwig, Serge E. Hallyn, Darrick J. Wong,
Dave Chinner, Eric Sandeen, linux-xfs, linux-fsdevel,
linux-security-module, linux-kernel
From: Carlos Maiolino <cem@kernel.org>
Hi there.
This is the (hopefully) final version of the series I've been working on
to fix a quota evasion issue on xfs. This bug has originally been
introduced by accident while turning off audit messages while checking
quota limits in xfs by replacing capable() calls by has_capability_noaudit().
This series concatenates both series I sent for xfs and capabilities
infrastructure as they are dependent.
The first patch fix the xfs bug in a way that makes it easily portable
to older LTS kernels.
From second patch and beyond, it adds a new helper for the capabilities
framework named capable_noaudit() which as the same semantics as
capable() but without generating audit messages.
The following patches then replaces both generic quota call to
capable() and properly update xfs code to use this new helper.
Last but not least this unexport has_capability_noaudit which had been
previously exported.
Giving this affects different subsystems, I think it would be easier to
pull everything from a single tree (as long as everything is properly
reviewed of course).
Serge, Honza, are you guys ok if I pull those patches and send them to
Linus through xfs tree so we don't need to split the series?
Christoph, this series moves back to pass the capable_noaudit() result
straight back to xfs_trans_alloc_ichange() instead of moving the
capability check into xfs_trans_dqresv() as Darrick was not in agreement
with that (patch unreviewed and open for comments).
Changelog from the last state of these patches:
Patch2: removed the redundant external classifier from the declaration
in include/linux/capability.h.
Serge, I kept your RwB here as the external is redundant, please
let me know if you are ok with it or not.
Patch4: Replace all ns_capable_noaudit() calls by capable_noaudit() and
keep the CAP_FOWNER (instead replacing it by SYS_RESOURCE)
Carlos Maiolino (5):
xfs: fix capability check in xfs
capability: Add new capable_noaudit
quota: Don't issue audit messages on quota enforcing
xfs: replace ns_capable_noaudit
capability: unexport has_capability_noaudit
fs/quota/dquot.c | 2 +-
fs/xfs/xfs_fsmap.c | 3 +--
fs/xfs/xfs_ioctl.c | 2 +-
fs/xfs/xfs_iops.c | 3 ++-
include/linux/capability.h | 5 +++++
kernel/capability.c | 18 +++++++++++++++++-
6 files changed, 27 insertions(+), 6 deletions(-)
Cc: Jan Kara <jack@suse.cz>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Darrick J. Wong <djwong@kernel.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Eric Sandeen <sandeen@redhat.com>
Cc: Dr. Thomas Orgis" <thomas.orgis@uni-hamburg.de>
Cc: linux-xfs@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
--
2.54.0
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v3 1/5] xfs: fix capability check in xfs
2026-07-02 9:33 [PATCH v3 0/5] Fix quota evasion on xfs and add capable_noaudit cem
@ 2026-07-02 9:33 ` cem
2026-07-02 10:30 ` Christoph Hellwig
2026-07-02 9:33 ` [PATCH v3 2/5] capability: Add new capable_noaudit cem
` (3 subsequent siblings)
4 siblings, 1 reply; 14+ messages in thread
From: cem @ 2026-07-02 9:33 UTC (permalink / raw)
To: cem
Cc: stable, Jan Kara, Christoph Hellwig, Serge E. Hallyn,
Darrick J. Wong, Dave Chinner, Eric Sandeen, linux-xfs,
linux-fsdevel, linux-security-module, linux-kernel,
Dr. Thomas Orgis
From: Carlos Maiolino <cem@kernel.org>
An user reported a bug where he managed to evade group's quota
by changing a file's gid to a different group id the same user
belonged to, even though quotas were enforced on both gids and the
file's size was big enough to exceed the quota's hardlimit.
Commit eba0549bc7d1 replaced a capable() call by a
has_capability_noaudit() to prevent unnecessary selinux audit messages.
Turns out that both calls have slightly different semantics even though
their documentation seems similar. Where in a nutshell:
capable() - Tests the task's effective credentials
has_ns_capability_noaudit() - Tests the task's real credentials
This most of the time has no practical difference but in some cases like
changing attrs (specifically group id in this case) through a NFS client
this will allow the quota code to use XFS_QMOPT_FORCE_RES, effectively
bypassing quota accounting checks.
Using instead ns_capable_noaudit() should fix this issue and prevent
selinux audit messages.
This also fix the remaining calls to has_capability_noaudit()
Fixes: eba0549bc7d1 ("xfs: don't generate selinux audit messages for capability testing")
Cc: <stable@vger.kernel.org> # v5.18
Cc: Jan Kara <jack@suse.cz>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Darrick J. Wong <djwong@kernel.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Eric Sandeen <sandeen@redhat.com>
Cc: Dr. Thomas Orgis" <thomas.orgis@uni-hamburg.de>
Cc: linux-xfs@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Reported-by: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
---
fs/xfs/xfs_fsmap.c | 2 +-
fs/xfs/xfs_ioctl.c | 2 +-
fs/xfs/xfs_iops.c | 3 ++-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index b6a3bc9f143c..7c79fbe0a74c 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -1175,7 +1175,7 @@ xfs_getfsmap(
return -EINVAL;
use_rmap = xfs_has_rmapbt(mp) &&
- has_capability_noaudit(current, CAP_SYS_ADMIN);
+ ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
head->fmh_entries = 0;
/* Set up our device handlers. */
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 1b53701bebea..1a8af827dde1 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -647,7 +647,7 @@ xfs_ioctl_setattr_get_trans(
goto out_error;
error = xfs_trans_alloc_ichange(ip, NULL, NULL, pdqp,
- has_capability_noaudit(current, CAP_FOWNER), &tp);
+ ns_capable_noaudit(&init_user_ns, CAP_FOWNER), &tp);
if (error)
goto out_error;
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index 6339f4956ecb..205fe2dae732 100644
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -835,7 +835,8 @@ xfs_setattr_nonsize(
}
error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
- has_capability_noaudit(current, CAP_FOWNER), &tp);
+ ns_capable_noaudit(&init_user_ns, CAP_FOWNER),
+ &tp);
if (error)
goto out_dqrele;
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v3 2/5] capability: Add new capable_noaudit
2026-07-02 9:33 [PATCH v3 0/5] Fix quota evasion on xfs and add capable_noaudit cem
2026-07-02 9:33 ` [PATCH v3 1/5] xfs: fix capability check in xfs cem
@ 2026-07-02 9:33 ` cem
2026-07-02 15:56 ` Darrick J. Wong
2026-07-02 9:33 ` [PATCH v3 3/5] quota: Don't issue audit messages on quota enforcing cem
` (2 subsequent siblings)
4 siblings, 1 reply; 14+ messages in thread
From: cem @ 2026-07-02 9:33 UTC (permalink / raw)
To: cem
Cc: Jan Kara, Darrick J. Wong, Dave Chinner, Eric Sandeen, linux-xfs,
linux-fsdevel, linux-security-module, linux-kernel,
Christoph Hellwig, Serge Hallyn
From: Carlos Maiolino <cem@kernel.org>
In some situations (quota enforcement bypass in this case) we'd like to
check for a specific capability without triggering spurious audit
messages from security modules like selinux.
Add a new helper so we don't need to use ns_capable_noaudit() directly.
V3: remove the extern declaration
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Darrick J. Wong <djwong@kernel.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Eric Sandeen <sandeen@redhat.com>
Cc: Dr. Thomas Orgis" <thomas.orgis@uni-hamburg.de>
Cc: linux-xfs@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
---
include/linux/capability.h | 5 +++++
kernel/capability.c | 17 +++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 37db92b3d6f8..f8532d92fcad 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -145,6 +145,7 @@ extern bool has_capability_noaudit(struct task_struct *t, int cap);
extern bool has_ns_capability_noaudit(struct task_struct *t,
struct user_namespace *ns, int cap);
extern bool capable(int cap);
+bool capable_noaudit(int cap);
extern bool ns_capable(struct user_namespace *ns, int cap);
extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
extern bool ns_capable_setid(struct user_namespace *ns, int cap);
@@ -167,6 +168,10 @@ static inline bool capable(int cap)
{
return true;
}
+static inline bool capable_noaudit(int cap)
+{
+ return true;
+}
static inline bool ns_capable(struct user_namespace *ns, int cap)
{
return true;
diff --git a/kernel/capability.c b/kernel/capability.c
index 829f49ae07b9..2c2d1e8300bd 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -416,6 +416,23 @@ bool capable(int cap)
return ns_capable(&init_user_ns, cap);
}
EXPORT_SYMBOL(capable);
+
+/**
+ * capable_noaudit - Determine if the current task has a superior
+ * capability in effect (unaudited).
+ * @cap: The capability to be tested for
+ *
+ * This is the same as capable(), except it uses CAP_OPT_NOAUDIT as to prevent
+ * issuing spurious audit messages.
+ *
+ * This sets PF_SUPERPRIV on the task if the capability is available on the
+ * assumption that it's about to be used.
+ */
+bool capable_noaudit(int cap)
+{
+ return ns_capable_noaudit(&init_user_ns, cap);
+}
+EXPORT_SYMBOL(capable_noaudit);
#endif /* CONFIG_MULTIUSER */
/**
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v3 3/5] quota: Don't issue audit messages on quota enforcing
2026-07-02 9:33 [PATCH v3 0/5] Fix quota evasion on xfs and add capable_noaudit cem
2026-07-02 9:33 ` [PATCH v3 1/5] xfs: fix capability check in xfs cem
2026-07-02 9:33 ` [PATCH v3 2/5] capability: Add new capable_noaudit cem
@ 2026-07-02 9:33 ` cem
2026-07-02 10:56 ` Jan Kara
2026-07-02 9:33 ` [PATCH v3 4/5] xfs: replace ns_capable_noaudit cem
2026-07-02 9:33 ` [PATCH v3 5/5] capability: unexport has_capability_noaudit cem
4 siblings, 1 reply; 14+ messages in thread
From: cem @ 2026-07-02 9:33 UTC (permalink / raw)
To: cem
Cc: Jan Kara, Serge E. Hallyn, Dave Chinner, Eric Sandeen, linux-xfs,
linux-fsdevel, linux-security-module, linux-kernel,
Darrick J. Wong, Christoph Hellwig
From: Carlos Maiolino <cem@kernel.org>
Calling capable() to determine if we can bypass quota enforcement or not
can trigger spurious audit messages. We don't really require it here so
just use the capable_noaudit() version.
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Eric Sandeen <sandeen@redhat.com>
Cc: Dr. Thomas Orgis" <thomas.orgis@uni-hamburg.de>
Cc: linux-xfs@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
---
fs/quota/dquot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index 9850de3955d3..dab93422a57b 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -1308,7 +1308,7 @@ static int ignore_hardlimit(struct dquot *dquot)
{
struct mem_dqinfo *info = &sb_dqopt(dquot->dq_sb)->info[dquot->dq_id.type];
- return capable(CAP_SYS_RESOURCE) &&
+ return capable_noaudit(CAP_SYS_RESOURCE) &&
(info->dqi_format->qf_fmt_id != QFMT_VFS_OLD ||
!(info->dqi_flags & DQF_ROOT_SQUASH));
}
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v3 4/5] xfs: replace ns_capable_noaudit
2026-07-02 9:33 [PATCH v3 0/5] Fix quota evasion on xfs and add capable_noaudit cem
` (2 preceding siblings ...)
2026-07-02 9:33 ` [PATCH v3 3/5] quota: Don't issue audit messages on quota enforcing cem
@ 2026-07-02 9:33 ` cem
2026-07-02 15:58 ` Darrick J. Wong
2026-07-02 9:33 ` [PATCH v3 5/5] capability: unexport has_capability_noaudit cem
4 siblings, 1 reply; 14+ messages in thread
From: cem @ 2026-07-02 9:33 UTC (permalink / raw)
To: cem
Cc: Jan Kara, Christoph Hellwig, Serge E. Hallyn, Darrick J. Wong,
Dave Chinner, Eric Sandeen, linux-xfs, linux-fsdevel,
linux-security-module, linux-kernel
From: Carlos Maiolino <cem@kernel.org>
Now that capable_noaudit() is available, we don't need to keep
using ns_capable_noaudit() and specifying the usernaspace every single
time.
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Darrick J. Wong <djwong@kernel.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Eric Sandeen <sandeen@redhat.com>
Cc: Dr. Thomas Orgis" <thomas.orgis@uni-hamburg.de>
Cc: linux-xfs@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
---
fs/xfs/xfs_fsmap.c | 3 +--
fs/xfs/xfs_ioctl.c | 2 +-
fs/xfs/xfs_iops.c | 2 +-
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index 7c79fbe0a74c..041bb2105ec6 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -1174,8 +1174,7 @@ xfs_getfsmap(
if (!xfs_getfsmap_check_keys(&head->fmh_keys[0], &head->fmh_keys[1]))
return -EINVAL;
- use_rmap = xfs_has_rmapbt(mp) &&
- ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
+ use_rmap = xfs_has_rmapbt(mp) && capable_noaudit(CAP_SYS_ADMIN);
head->fmh_entries = 0;
/* Set up our device handlers. */
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 1a8af827dde1..374b488f0416 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -647,7 +647,7 @@ xfs_ioctl_setattr_get_trans(
goto out_error;
error = xfs_trans_alloc_ichange(ip, NULL, NULL, pdqp,
- ns_capable_noaudit(&init_user_ns, CAP_FOWNER), &tp);
+ capable_noaudit(CAP_FOWNER), &tp);
if (error)
goto out_error;
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index 205fe2dae732..ce9f8b8468fc 100644
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -835,7 +835,7 @@ xfs_setattr_nonsize(
}
error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
- ns_capable_noaudit(&init_user_ns, CAP_FOWNER),
+ capable_noaudit(CAP_FOWNER),
&tp);
if (error)
goto out_dqrele;
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v3 5/5] capability: unexport has_capability_noaudit
2026-07-02 9:33 [PATCH v3 0/5] Fix quota evasion on xfs and add capable_noaudit cem
` (3 preceding siblings ...)
2026-07-02 9:33 ` [PATCH v3 4/5] xfs: replace ns_capable_noaudit cem
@ 2026-07-02 9:33 ` cem
4 siblings, 0 replies; 14+ messages in thread
From: cem @ 2026-07-02 9:33 UTC (permalink / raw)
To: cem
Cc: Jan Kara, Serge E. Hallyn, Dave Chinner, Eric Sandeen, linux-xfs,
linux-fsdevel, linux-security-module, linux-kernel,
Darrick J. Wong, Christoph Hellwig
From: Carlos Maiolino <cem@kernel.org>
This has been originally exported to be used in xfs. Giving we are not
using it anymore, unexport for consistency.
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Eric Sandeen <sandeen@redhat.com>
Cc: Dr. Thomas Orgis" <thomas.orgis@uni-hamburg.de>
Cc: linux-xfs@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
---
kernel/capability.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/kernel/capability.c b/kernel/capability.c
index 2c2d1e8300bd..3d0387fb93a3 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -326,7 +326,6 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
{
return has_ns_capability_noaudit(t, &init_user_ns, cap);
}
-EXPORT_SYMBOL(has_capability_noaudit);
static bool ns_capable_common(struct user_namespace *ns,
int cap,
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v3 1/5] xfs: fix capability check in xfs
2026-07-02 9:33 ` [PATCH v3 1/5] xfs: fix capability check in xfs cem
@ 2026-07-02 10:30 ` Christoph Hellwig
2026-07-02 11:17 ` Carlos Maiolino
0 siblings, 1 reply; 14+ messages in thread
From: Christoph Hellwig @ 2026-07-02 10:30 UTC (permalink / raw)
To: cem
Cc: stable, Jan Kara, Christoph Hellwig, Serge E. Hallyn,
Darrick J. Wong, Dave Chinner, Eric Sandeen, linux-xfs,
linux-fsdevel, linux-security-module, linux-kernel,
Dr. Thomas Orgis
On Thu, Jul 02, 2026 at 11:33:17AM +0200, cem@kernel.org wrote:
> index 6339f4956ecb..205fe2dae732 100644
> --- a/fs/xfs/xfs_iops.c
> +++ b/fs/xfs/xfs_iops.c
> @@ -835,7 +835,8 @@ xfs_setattr_nonsize(
> }
>
> error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
> - has_capability_noaudit(current, CAP_FOWNER), &tp);
> + ns_capable_noaudit(&init_user_ns, CAP_FOWNER),
Extra indentation and an overly long line caused by that here.
Otherwise looks good.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v3 3/5] quota: Don't issue audit messages on quota enforcing
2026-07-02 9:33 ` [PATCH v3 3/5] quota: Don't issue audit messages on quota enforcing cem
@ 2026-07-02 10:56 ` Jan Kara
0 siblings, 0 replies; 14+ messages in thread
From: Jan Kara @ 2026-07-02 10:56 UTC (permalink / raw)
To: cem
Cc: Jan Kara, Serge E. Hallyn, Dave Chinner, Eric Sandeen, linux-xfs,
linux-fsdevel, linux-security-module, linux-kernel,
Darrick J. Wong, Christoph Hellwig
On Thu 02-07-26 11:33:21, cem@kernel.org wrote:
> From: Carlos Maiolino <cem@kernel.org>
>
> Calling capable() to determine if we can bypass quota enforcement or not
> can trigger spurious audit messages. We don't really require it here so
> just use the capable_noaudit() version.
>
> Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
> Cc: Jan Kara <jack@suse.cz>
> Cc: Serge E. Hallyn <serge@hallyn.com>
> Cc: Dave Chinner <david@fromorbit.com>
> Cc: Eric Sandeen <sandeen@redhat.com>
> Cc: Dr. Thomas Orgis" <thomas.orgis@uni-hamburg.de>
> Cc: linux-xfs@vger.kernel.org
> Cc: linux-fsdevel@vger.kernel.org
> Cc: linux-security-module@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
> Reviewed-by: Christoph Hellwig <hch@lst.de>
Makes sense. Feel free to add:
Acked-by: Jan Kara <jack@suse.cz>
Honza
> ---
> fs/quota/dquot.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
> index 9850de3955d3..dab93422a57b 100644
> --- a/fs/quota/dquot.c
> +++ b/fs/quota/dquot.c
> @@ -1308,7 +1308,7 @@ static int ignore_hardlimit(struct dquot *dquot)
> {
> struct mem_dqinfo *info = &sb_dqopt(dquot->dq_sb)->info[dquot->dq_id.type];
>
> - return capable(CAP_SYS_RESOURCE) &&
> + return capable_noaudit(CAP_SYS_RESOURCE) &&
> (info->dqi_format->qf_fmt_id != QFMT_VFS_OLD ||
> !(info->dqi_flags & DQF_ROOT_SQUASH));
> }
> --
> 2.54.0
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v3 1/5] xfs: fix capability check in xfs
2026-07-02 10:30 ` Christoph Hellwig
@ 2026-07-02 11:17 ` Carlos Maiolino
2026-07-02 11:24 ` Christoph Hellwig
0 siblings, 1 reply; 14+ messages in thread
From: Carlos Maiolino @ 2026-07-02 11:17 UTC (permalink / raw)
To: Christoph Hellwig
Cc: stable, Jan Kara, Serge E. Hallyn, Darrick J. Wong, Dave Chinner,
Eric Sandeen, linux-xfs, linux-fsdevel, linux-security-module,
linux-kernel, Dr. Thomas Orgis
On Thu, Jul 02, 2026 at 12:30:52PM +0200, Christoph Hellwig wrote:
> On Thu, Jul 02, 2026 at 11:33:17AM +0200, cem@kernel.org wrote:
> > index 6339f4956ecb..205fe2dae732 100644
> > --- a/fs/xfs/xfs_iops.c
> > +++ b/fs/xfs/xfs_iops.c
> > @@ -835,7 +835,8 @@ xfs_setattr_nonsize(
> > }
> >
> > error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
> > - has_capability_noaudit(current, CAP_FOWNER), &tp);
> > + ns_capable_noaudit(&init_user_ns, CAP_FOWNER),
>
Thanks, I tried to keep the parameters aligned, but I can bring it one
tab back. Do you mind if I fix it at commit time if -unlikely- no other
change is required?
This is what it will look like:
error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
- has_capability_noaudit(current, CAP_FOWNER), &tp);
+ ns_capable_noaudit(&init_user_ns, CAP_FOWNER),
+ &tp);
> Extra indentation and an overly long line caused by that here.
>
> Otherwise looks good.
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v3 1/5] xfs: fix capability check in xfs
2026-07-02 11:17 ` Carlos Maiolino
@ 2026-07-02 11:24 ` Christoph Hellwig
2026-07-02 12:11 ` Carlos Maiolino
2026-07-02 12:24 ` Carlos Maiolino
0 siblings, 2 replies; 14+ messages in thread
From: Christoph Hellwig @ 2026-07-02 11:24 UTC (permalink / raw)
To: Carlos Maiolino
Cc: Christoph Hellwig, stable, Jan Kara, Serge E. Hallyn,
Darrick J. Wong, Dave Chinner, Eric Sandeen, linux-xfs,
linux-fsdevel, linux-security-module, linux-kernel,
Dr. Thomas Orgis
On Thu, Jul 02, 2026 at 01:17:29PM +0200, Carlos Maiolino wrote:
> On Thu, Jul 02, 2026 at 12:30:52PM +0200, Christoph Hellwig wrote:
> > On Thu, Jul 02, 2026 at 11:33:17AM +0200, cem@kernel.org wrote:
> > > index 6339f4956ecb..205fe2dae732 100644
> > > --- a/fs/xfs/xfs_iops.c
> > > +++ b/fs/xfs/xfs_iops.c
> > > @@ -835,7 +835,8 @@ xfs_setattr_nonsize(
> > > }
> > >
> > > error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
> > > - has_capability_noaudit(current, CAP_FOWNER), &tp);
> > > + ns_capable_noaudit(&init_user_ns, CAP_FOWNER),
> >
>
> Thanks, I tried to keep the parameters aligned, but I can bring it one
> tab back. Do you mind if I fix it at commit time if -unlikely- no other
> change is required?
>
> This is what it will look like:
>
> error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
> - has_capability_noaudit(current, CAP_FOWNER), &tp);
> + ns_capable_noaudit(&init_user_ns, CAP_FOWNER),
> + &tp);
This still adds an extra tab. Like much (but not all) of the kernel
we use two-tabs by default, which is also in the other two hinks. This
now adds a third. Just keep it as it was:
error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
ns_capable_noaudit(&init_user_ns, CAP_FOWNER), &tp);
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v3 1/5] xfs: fix capability check in xfs
2026-07-02 11:24 ` Christoph Hellwig
@ 2026-07-02 12:11 ` Carlos Maiolino
2026-07-02 12:24 ` Carlos Maiolino
1 sibling, 0 replies; 14+ messages in thread
From: Carlos Maiolino @ 2026-07-02 12:11 UTC (permalink / raw)
To: Christoph Hellwig
Cc: stable, Jan Kara, Serge E. Hallyn, Darrick J. Wong, Dave Chinner,
Eric Sandeen, linux-xfs, linux-fsdevel, linux-security-module,
linux-kernel, Dr. Thomas Orgis
On Thu, Jul 02, 2026 at 01:24:38PM +0200, Christoph Hellwig wrote:
> On Thu, Jul 02, 2026 at 01:17:29PM +0200, Carlos Maiolino wrote:
> > On Thu, Jul 02, 2026 at 12:30:52PM +0200, Christoph Hellwig wrote:
> > > On Thu, Jul 02, 2026 at 11:33:17AM +0200, cem@kernel.org wrote:
> > > > index 6339f4956ecb..205fe2dae732 100644
> > > > --- a/fs/xfs/xfs_iops.c
> > > > +++ b/fs/xfs/xfs_iops.c
> > > > @@ -835,7 +835,8 @@ xfs_setattr_nonsize(
> > > > }
> > > >
> > > > error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
> > > > - has_capability_noaudit(current, CAP_FOWNER), &tp);
> > > > + ns_capable_noaudit(&init_user_ns, CAP_FOWNER),
> > >
> >
> > Thanks, I tried to keep the parameters aligned, but I can bring it one
> > tab back. Do you mind if I fix it at commit time if -unlikely- no other
> > change is required?
> >
> > This is what it will look like:
> >
> > error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
> > - has_capability_noaudit(current, CAP_FOWNER), &tp);
> > + ns_capable_noaudit(&init_user_ns, CAP_FOWNER),
> > + &tp);
>
> This still adds an extra tab. Like much (but not all) of the kernel
> we use two-tabs by default, which is also in the other two hinks. This
> now adds a third. Just keep it as it was:
>
> error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
> ns_capable_noaudit(&init_user_ns, CAP_FOWNER), &tp);
>
>
Ok, will do!
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v3 1/5] xfs: fix capability check in xfs
2026-07-02 11:24 ` Christoph Hellwig
2026-07-02 12:11 ` Carlos Maiolino
@ 2026-07-02 12:24 ` Carlos Maiolino
1 sibling, 0 replies; 14+ messages in thread
From: Carlos Maiolino @ 2026-07-02 12:24 UTC (permalink / raw)
To: Christoph Hellwig
Cc: stable, Jan Kara, Serge E. Hallyn, Darrick J. Wong, Dave Chinner,
Eric Sandeen, linux-xfs, linux-fsdevel, linux-security-module,
linux-kernel, Dr. Thomas Orgis
> > + ns_capable_noaudit(&init_user_ns, CAP_FOWNER),
> > + &tp);
>
> This still adds an extra tab. Like much (but not all) of the kernel
> we use two-tabs by default, which is also in the other two hinks. This
> now adds a third. Just keep it as it was:
>
> error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
> ns_capable_noaudit(&init_user_ns, CAP_FOWNER), &tp);
>
>
FWIW, I also fixed these in the patch 4 which I had screwed up too :)
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v3 2/5] capability: Add new capable_noaudit
2026-07-02 9:33 ` [PATCH v3 2/5] capability: Add new capable_noaudit cem
@ 2026-07-02 15:56 ` Darrick J. Wong
0 siblings, 0 replies; 14+ messages in thread
From: Darrick J. Wong @ 2026-07-02 15:56 UTC (permalink / raw)
To: cem
Cc: Jan Kara, Dave Chinner, Eric Sandeen, linux-xfs, linux-fsdevel,
linux-security-module, linux-kernel, Christoph Hellwig,
Serge Hallyn
On Thu, Jul 02, 2026 at 11:33:19AM +0200, cem@kernel.org wrote:
> From: Carlos Maiolino <cem@kernel.org>
>
> In some situations (quota enforcement bypass in this case) we'd like to
> check for a specific capability without triggering spurious audit
> messages from security modules like selinux.
>
> Add a new helper so we don't need to use ns_capable_noaudit() directly.
>
> V3: remove the extern declaration
>
> Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
> Cc: Jan Kara <jack@suse.cz>
> Cc: Darrick J. Wong <djwong@kernel.org>
> Cc: Dave Chinner <david@fromorbit.com>
> Cc: Eric Sandeen <sandeen@redhat.com>
> Cc: Dr. Thomas Orgis" <thomas.orgis@uni-hamburg.de>
> Cc: linux-xfs@vger.kernel.org
> Cc: linux-fsdevel@vger.kernel.org
> Cc: linux-security-module@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Reviewed-by: Christoph Hellwig <hch@lst.de>
> Reviewed-by: Serge Hallyn <serge@hallyn.com>
> ---
> include/linux/capability.h | 5 +++++
> kernel/capability.c | 17 +++++++++++++++++
> 2 files changed, 22 insertions(+)
>
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index 37db92b3d6f8..f8532d92fcad 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -145,6 +145,7 @@ extern bool has_capability_noaudit(struct task_struct *t, int cap);
> extern bool has_ns_capability_noaudit(struct task_struct *t,
> struct user_namespace *ns, int cap);
> extern bool capable(int cap);
> +bool capable_noaudit(int cap);
> extern bool ns_capable(struct user_namespace *ns, int cap);
> extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
> extern bool ns_capable_setid(struct user_namespace *ns, int cap);
> @@ -167,6 +168,10 @@ static inline bool capable(int cap)
> {
> return true;
> }
> +static inline bool capable_noaudit(int cap)
> +{
> + return true;
> +}
> static inline bool ns_capable(struct user_namespace *ns, int cap)
> {
> return true;
> diff --git a/kernel/capability.c b/kernel/capability.c
> index 829f49ae07b9..2c2d1e8300bd 100644
> --- a/kernel/capability.c
> +++ b/kernel/capability.c
> @@ -416,6 +416,23 @@ bool capable(int cap)
> return ns_capable(&init_user_ns, cap);
> }
> EXPORT_SYMBOL(capable);
> +
> +/**
> + * capable_noaudit - Determine if the current task has a superior
> + * capability in effect (unaudited).
> + * @cap: The capability to be tested for
> + *
> + * This is the same as capable(), except it uses CAP_OPT_NOAUDIT as to prevent
> + * issuing spurious audit messages.
> + *
> + * This sets PF_SUPERPRIV on the task if the capability is available on the
> + * assumption that it's about to be used.
Same complaint about the documentation as last time:
https://lore.kernel.org/linux-fsdevel/20260626151656.GT6078@frogsfrogsfrogs/
--D
> + */
> +bool capable_noaudit(int cap)
> +{
> + return ns_capable_noaudit(&init_user_ns, cap);
> +}
> +EXPORT_SYMBOL(capable_noaudit);
> #endif /* CONFIG_MULTIUSER */
>
> /**
> --
> 2.54.0
>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v3 4/5] xfs: replace ns_capable_noaudit
2026-07-02 9:33 ` [PATCH v3 4/5] xfs: replace ns_capable_noaudit cem
@ 2026-07-02 15:58 ` Darrick J. Wong
0 siblings, 0 replies; 14+ messages in thread
From: Darrick J. Wong @ 2026-07-02 15:58 UTC (permalink / raw)
To: cem
Cc: Jan Kara, Christoph Hellwig, Serge E. Hallyn, Dave Chinner,
Eric Sandeen, linux-xfs, linux-fsdevel, linux-security-module,
linux-kernel
On Thu, Jul 02, 2026 at 11:33:23AM +0200, cem@kernel.org wrote:
> From: Carlos Maiolino <cem@kernel.org>
>
> Now that capable_noaudit() is available, we don't need to keep
> using ns_capable_noaudit() and specifying the usernaspace every single
> time.
>
> Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
> Cc: Jan Kara <jack@suse.cz>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Serge E. Hallyn <serge@hallyn.com>
> Cc: Darrick J. Wong <djwong@kernel.org>
> Cc: Dave Chinner <david@fromorbit.com>
> Cc: Eric Sandeen <sandeen@redhat.com>
> Cc: Dr. Thomas Orgis" <thomas.orgis@uni-hamburg.de>
> Cc: linux-xfs@vger.kernel.org
> Cc: linux-fsdevel@vger.kernel.org
> Cc: linux-security-module@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> ---
> fs/xfs/xfs_fsmap.c | 3 +--
> fs/xfs/xfs_ioctl.c | 2 +-
> fs/xfs/xfs_iops.c | 2 +-
> 3 files changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
> index 7c79fbe0a74c..041bb2105ec6 100644
> --- a/fs/xfs/xfs_fsmap.c
> +++ b/fs/xfs/xfs_fsmap.c
> @@ -1174,8 +1174,7 @@ xfs_getfsmap(
> if (!xfs_getfsmap_check_keys(&head->fmh_keys[0], &head->fmh_keys[1]))
> return -EINVAL;
>
> - use_rmap = xfs_has_rmapbt(mp) &&
> - ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
> + use_rmap = xfs_has_rmapbt(mp) && capable_noaudit(CAP_SYS_ADMIN);
> head->fmh_entries = 0;
>
> /* Set up our device handlers. */
> diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
> index 1a8af827dde1..374b488f0416 100644
> --- a/fs/xfs/xfs_ioctl.c
> +++ b/fs/xfs/xfs_ioctl.c
> @@ -647,7 +647,7 @@ xfs_ioctl_setattr_get_trans(
> goto out_error;
>
> error = xfs_trans_alloc_ichange(ip, NULL, NULL, pdqp,
> - ns_capable_noaudit(&init_user_ns, CAP_FOWNER), &tp);
> + capable_noaudit(CAP_FOWNER), &tp);
Not sure why the indentation changed, otherwise the patch looks fine to
me.
--D
> if (error)
> goto out_error;
>
> diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
> index 205fe2dae732..ce9f8b8468fc 100644
> --- a/fs/xfs/xfs_iops.c
> +++ b/fs/xfs/xfs_iops.c
> @@ -835,7 +835,7 @@ xfs_setattr_nonsize(
> }
>
> error = xfs_trans_alloc_ichange(ip, udqp, gdqp, NULL,
> - ns_capable_noaudit(&init_user_ns, CAP_FOWNER),
> + capable_noaudit(CAP_FOWNER),
> &tp);
> if (error)
> goto out_dqrele;
> --
> 2.54.0
>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2026-07-02 15:58 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 9:33 [PATCH v3 0/5] Fix quota evasion on xfs and add capable_noaudit cem
2026-07-02 9:33 ` [PATCH v3 1/5] xfs: fix capability check in xfs cem
2026-07-02 10:30 ` Christoph Hellwig
2026-07-02 11:17 ` Carlos Maiolino
2026-07-02 11:24 ` Christoph Hellwig
2026-07-02 12:11 ` Carlos Maiolino
2026-07-02 12:24 ` Carlos Maiolino
2026-07-02 9:33 ` [PATCH v3 2/5] capability: Add new capable_noaudit cem
2026-07-02 15:56 ` Darrick J. Wong
2026-07-02 9:33 ` [PATCH v3 3/5] quota: Don't issue audit messages on quota enforcing cem
2026-07-02 10:56 ` Jan Kara
2026-07-02 9:33 ` [PATCH v3 4/5] xfs: replace ns_capable_noaudit cem
2026-07-02 15:58 ` Darrick J. Wong
2026-07-02 9:33 ` [PATCH v3 5/5] capability: unexport has_capability_noaudit cem
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox