From: "Serge E. Hallyn" <serge@hallyn.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
bpf@vger.kernel.org, selinux@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] x86/bpf: use bpf_capable() instead of capable(CAP_SYS_ADMIN)
Date: Fri, 8 Aug 2025 18:58:57 -0500 [thread overview]
Message-ID: <aJaPQZqDIcT17aAU@mail.hallyn.com> (raw)
In-Reply-To: <aJP+/1VGbe1EcgKz@mail.hallyn.com>
On Wed, Aug 06, 2025 at 08:18:55PM -0500, Serge E. Hallyn wrote:
> On Wed, Aug 06, 2025 at 04:31:05PM +0200, Ondrej Mosnacek wrote:
> > Don't check against the overloaded CAP_SYS_ADMINin do_jit(), but instead
> > use bpf_capable(), which checks against the more granular CAP_BPF first.
> > Going straight to CAP_SYS_ADMIN may cause unnecessary audit log spam
> > under SELinux, as privileged domains using BPF would usually only be
> > allowed CAP_BPF and not CAP_SYS_ADMIN.
> >
> > Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326
> > Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit")
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>
> So this seems correct, *provided* that we consider it within the purview of
> CAP_BPF to be able to avoid clearing the branch history buffer.
>
> I suspect that's the case, but it might warrant discussion.
>
> Reviewed-by: Serge Hallyn <serge@hallyn.com>
(BTW, I'm assuming this will get pulled into a BPF tree or something, and
doesn't need to go into the capabilities tree. Let me know if that's wrong)
> > ---
> > arch/x86/net/bpf_jit_comp.c | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> > index 15672cb926fc1..2a825e5745ca1 100644
> > --- a/arch/x86/net/bpf_jit_comp.c
> > +++ b/arch/x86/net/bpf_jit_comp.c
> > @@ -2591,8 +2591,7 @@ emit_jmp:
> > seen_exit = true;
> > /* Update cleanup_addr */
> > ctx->cleanup_addr = proglen;
> > - if (bpf_prog_was_classic(bpf_prog) &&
> > - !capable(CAP_SYS_ADMIN)) {
> > + if (bpf_prog_was_classic(bpf_prog) && !bpf_capable()) {
> > u8 *ip = image + addrs[i - 1];
> >
> > if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))
> > --
> > 2.50.1
> >
next prev parent reply other threads:[~2025-08-08 23:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-06 14:31 [PATCH] x86/bpf: use bpf_capable() instead of capable(CAP_SYS_ADMIN) Ondrej Mosnacek
2025-08-07 1:18 ` Serge E. Hallyn
2025-08-08 23:58 ` Serge E. Hallyn [this message]
2025-08-09 0:46 ` Alexei Starovoitov
2025-08-09 1:06 ` Serge E. Hallyn
2025-08-13 9:49 ` Ondrej Mosnacek
2025-08-25 11:40 ` Ondrej Mosnacek
2025-09-02 17:36 ` Alexei Starovoitov
2025-10-21 12:32 ` Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aJaPQZqDIcT17aAU@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.