* [PATCH v2] x86/bpf: do not audit capability check in do_jit()
@ 2025-10-21 12:27 Ondrej Mosnacek
2025-10-21 16:22 ` Paul Moore
2025-10-22 1:30 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Ondrej Mosnacek @ 2025-10-21 12:27 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann
Cc: bpf, selinux, linux-security-module, Serge E . Hallyn
The failure of this check only results in a security mitigation being
applied, slightly affecting performance of the compiled BPF program. It
doesn't result in a failed syscall, an thus auditing a failed LSM
permission check for it is unwanted. For example with SELinux, it causes
a denial to be reported for confined processes running as root, which
tends to be flagged as a problem to be fixed in the policy. Yet
dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
desirable, as it would allow/silence also other checks - either going
against the principle of least privilege or making debugging potentially
harder.
Fix it by changing it from capable() to ns_capable_noaudit(), which
instructs the LSMs to not audit the resulting denials.
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326
Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
v1: https://lore.kernel.org/selinux/20250806143105.915748-1-omosnace@redhat.com/
Changes in v2:
- just silence the audit records instead of switching to bpf_capable()
arch/x86/net/bpf_jit_comp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index d4c93d9e73e40..de5083cb1d374 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -2701,7 +2701,7 @@ emit_jmp:
/* Update cleanup_addr */
ctx->cleanup_addr = proglen;
if (bpf_prog_was_classic(bpf_prog) &&
- !capable(CAP_SYS_ADMIN)) {
+ !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
u8 *ip = image + addrs[i - 1];
if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] x86/bpf: do not audit capability check in do_jit()
2025-10-21 12:27 [PATCH v2] x86/bpf: do not audit capability check in do_jit() Ondrej Mosnacek
@ 2025-10-21 16:22 ` Paul Moore
2025-10-22 1:30 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Paul Moore @ 2025-10-21 16:22 UTC (permalink / raw)
To: Ondrej Mosnacek
Cc: Alexei Starovoitov, Daniel Borkmann, bpf, selinux,
linux-security-module, Serge E . Hallyn
On Tue, Oct 21, 2025 at 8:28 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> The failure of this check only results in a security mitigation being
> applied, slightly affecting performance of the compiled BPF program. It
> doesn't result in a failed syscall, an thus auditing a failed LSM
> permission check for it is unwanted. For example with SELinux, it causes
> a denial to be reported for confined processes running as root, which
> tends to be flagged as a problem to be fixed in the policy. Yet
> dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
> desirable, as it would allow/silence also other checks - either going
> against the principle of least privilege or making debugging potentially
> harder.
>
> Fix it by changing it from capable() to ns_capable_noaudit(), which
> instructs the LSMs to not audit the resulting denials.
>
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326
> Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>
> v1: https://lore.kernel.org/selinux/20250806143105.915748-1-omosnace@redhat.com/
> Changes in v2:
> - just silence the audit records instead of switching to bpf_capable()
>
> arch/x86/net/bpf_jit_comp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Paul Moore <paul@paul-moore.com>
--
paul-moore.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] x86/bpf: do not audit capability check in do_jit()
2025-10-21 12:27 [PATCH v2] x86/bpf: do not audit capability check in do_jit() Ondrej Mosnacek
2025-10-21 16:22 ` Paul Moore
@ 2025-10-22 1:30 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-10-22 1:30 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: ast, daniel, bpf, selinux, linux-security-module, serge
Hello:
This patch was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:
On Tue, 21 Oct 2025 14:27:58 +0200 you wrote:
> The failure of this check only results in a security mitigation being
> applied, slightly affecting performance of the compiled BPF program. It
> doesn't result in a failed syscall, an thus auditing a failed LSM
> permission check for it is unwanted. For example with SELinux, it causes
> a denial to be reported for confined processes running as root, which
> tends to be flagged as a problem to be fixed in the policy. Yet
> dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
> desirable, as it would allow/silence also other checks - either going
> against the principle of least privilege or making debugging potentially
> harder.
>
> [...]
Here is the summary with links:
- [v2] x86/bpf: do not audit capability check in do_jit()
https://git.kernel.org/bpf/bpf/c/881a9c9cb785
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-10-22 1:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-21 12:27 [PATCH v2] x86/bpf: do not audit capability check in do_jit() Ondrej Mosnacek
2025-10-21 16:22 ` Paul Moore
2025-10-22 1:30 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).