The oomkiller calculations make decisions based on capabilities. Since
these are not security decisions and LSMs should not record if they fall the request they should use the new has_capability_noaudit() interface so the denials will not be recorded. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
06112163f5
commit
a2f2945a99
|
@ -129,8 +129,8 @@ unsigned long badness(struct task_struct *p, unsigned long uptime)
|
|||
* Superuser processes are usually more important, so we make it
|
||||
* less likely that we kill those.
|
||||
*/
|
||||
if (has_capability(p, CAP_SYS_ADMIN) ||
|
||||
has_capability(p, CAP_SYS_RESOURCE))
|
||||
if (has_capability_noaudit(p, CAP_SYS_ADMIN) ||
|
||||
has_capability_noaudit(p, CAP_SYS_RESOURCE))
|
||||
points /= 4;
|
||||
|
||||
/*
|
||||
|
@ -139,7 +139,7 @@ unsigned long badness(struct task_struct *p, unsigned long uptime)
|
|||
* tend to only have this flag set on applications they think
|
||||
* of as important.
|
||||
*/
|
||||
if (has_capability(p, CAP_SYS_RAWIO))
|
||||
if (has_capability_noaudit(p, CAP_SYS_RAWIO))
|
||||
points /= 4;
|
||||
|
||||
/*
|
||||
|
|
Loading…
Reference in New Issue