Skip to content

x86/bpf: do not audit capability check in do_jit() #10059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

x86/bpf: do not audit capability check in do_jit() #10059

wants to merge 1 commit into from

Conversation

@kernel-patches-daemon-bpf
Copy link

Pull request for series with
subject: x86/bpf: do not audit capability check in do_jit()
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1014021

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 04a8995
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1014021
version: 2

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 04a8995
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1014021
version: 2

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 96d31df
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1014021
version: 2

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: e758657
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1014021
version: 2

@WOnder93
x86/bpf: do not audit capability check in do_jit()
e9a6d81 
The failure of this check only results in a security mitigation being
applied, slightly affecting performance of the compiled BPF program. It
doesn't result in a failed syscall, an thus auditing a failed LSM
permission check for it is unwanted. For example with SELinux, it causes
a denial to be reported for confined processes running as root, which
tends to be flagged as a problem to be fixed in the policy. Yet
dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
desirable, as it would allow/silence also other checks - either going
against the principle of least privilege or making debugging potentially
harder.

Fix it by changing it from capable() to ns_capable_noaudit(), which
instructs the LSMs to not audit the resulting denials.

Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326
Fixes: d4e89d2 ("x86/bpf: Call branch history clearing sequence on exit")
Signed-off-by: Ondrej Mosnacek <[email protected]>
Reviewed-by: Paul Moore <[email protected]>
@kernel-patches-daemon-bpf
Copy link
Author

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1014021 irrelevant now. Closing PR.

@kernel-patches-daemon-bpf kernel-patches-daemon-bpf bot deleted the series/1014021=>bpf-next branch October 22, 2025 01:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

accepted bpf-next V2-ci-pass V2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@WOnder93