From: Alexey Gladkov <legion@kernel.org>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"Eric W . Biederman" <ebiederm@xmission.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH] ipc: don't audit capability check in ipc_permissions()
Date: Thu, 22 Jan 2026 15:37:20 +0100 [thread overview]
Message-ID: <aXI2IOmVZTWlYE_9@example.org> (raw)
In-Reply-To: <20260122141303.241133-1-omosnace@redhat.com>
On Thu, Jan 22, 2026 at 03:13:03PM +0100, Ondrej Mosnacek wrote:
> The IPC sysctls implement the ctl_table_root::permissions hook and
> they override the file access mode based on the CAP_CHECKPOINT_RESTORE
> capability, which is being checked regardless of whether any access is
> actually denied or not, so if an LSM denies the capability, an audit
> record may be logged even when access is in fact granted.
>
> It wouldn't be viable to restructure the sysctl permission logic to only
> check the capability when the access would be actually denied if it's
> not granted. Thus, do the same as in net_ctl_permissions()
> (net/sysctl_net.c) - switch from ns_capable() to ns_capable_noaudit(),
> so that the check never emits an audit record.
>
> Fixes: 0889f44e2810 ("ipc: Check permissions for checkpoint_restart sysctls at open time")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Some permission hooks already use ns_capable_noaudit.
For example, pid_table_root_permissions.
I think it makes sense here also.
Acked-by: Alexey Gladkov <legion@kernel.org>
> ---
> include/linux/capability.h | 6 ++++++
> ipc/ipc_sysctl.c | 2 +-
> 2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index 1fb08922552c7..37db92b3d6f89 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -203,6 +203,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
> ns_capable(ns, CAP_SYS_ADMIN);
> }
>
> +static inline bool checkpoint_restore_ns_capable_noaudit(struct user_namespace *ns)
> +{
> + return ns_capable_noaudit(ns, CAP_CHECKPOINT_RESTORE) ||
> + ns_capable_noaudit(ns, CAP_SYS_ADMIN);
> +}
> +
> /* audit system wants to get cap info from files as well */
> int get_vfs_caps_from_disk(struct mnt_idmap *idmap,
> const struct dentry *dentry,
> diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
> index 15b17e86e198c..9b087ebeb643b 100644
> --- a/ipc/ipc_sysctl.c
> +++ b/ipc/ipc_sysctl.c
> @@ -214,7 +214,7 @@ static int ipc_permissions(struct ctl_table_header *head, const struct ctl_table
> if (((table->data == &ns->ids[IPC_SEM_IDS].next_id) ||
> (table->data == &ns->ids[IPC_MSG_IDS].next_id) ||
> (table->data == &ns->ids[IPC_SHM_IDS].next_id)) &&
> - checkpoint_restore_ns_capable(ns->user_ns))
> + checkpoint_restore_ns_capable_noaudit(ns->user_ns))
> mode = 0666;
> else
> #endif
> --
> 2.52.0
>
--
Rgrds, legion
next prev parent reply other threads:[~2026-01-22 14:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-22 14:13 [PATCH] ipc: don't audit capability check in ipc_permissions() Ondrej Mosnacek
2026-01-22 14:37 ` Alexey Gladkov [this message]
2026-01-26 22:50 ` Paul Moore
2026-01-27 2:01 ` Serge E. Hallyn
2026-01-27 22:06 ` Paul Moore
2026-01-28 3:26 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aXI2IOmVZTWlYE_9@example.org \
--to=legion@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox