[PATCH] x86/bpf: use bpf_capable() instead of capable(CAP_SYS_ADMIN)
Serge E. Hallyn
serge at hallyn.com
Fri Aug 8 23:58:57 UTC 2025
On Wed, Aug 06, 2025 at 08:18:55PM -0500, Serge E. Hallyn wrote:
> On Wed, Aug 06, 2025 at 04:31:05PM +0200, Ondrej Mosnacek wrote:
> > Don't check against the overloaded CAP_SYS_ADMINin do_jit(), but instead
> > use bpf_capable(), which checks against the more granular CAP_BPF first.
> > Going straight to CAP_SYS_ADMIN may cause unnecessary audit log spam
> > under SELinux, as privileged domains using BPF would usually only be
> > allowed CAP_BPF and not CAP_SYS_ADMIN.
> >
> > Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326
> > Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit")
> > Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
>
> So this seems correct, *provided* that we consider it within the purview of
> CAP_BPF to be able to avoid clearing the branch history buffer.
>
> I suspect that's the case, but it might warrant discussion.
>
> Reviewed-by: Serge Hallyn <serge at hallyn.com>
(BTW, I'm assuming this will get pulled into a BPF tree or something, and
doesn't need to go into the capabilities tree. Let me know if that's wrong)
> > ---
> > arch/x86/net/bpf_jit_comp.c | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> > index 15672cb926fc1..2a825e5745ca1 100644
> > --- a/arch/x86/net/bpf_jit_comp.c
> > +++ b/arch/x86/net/bpf_jit_comp.c
> > @@ -2591,8 +2591,7 @@ emit_jmp:
> > seen_exit = true;
> > /* Update cleanup_addr */
> > ctx->cleanup_addr = proglen;
> > - if (bpf_prog_was_classic(bpf_prog) &&
> > - !capable(CAP_SYS_ADMIN)) {
> > + if (bpf_prog_was_classic(bpf_prog) && !bpf_capable()) {
> > u8 *ip = image + addrs[i - 1];
> >
> > if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))
> > --
> > 2.50.1
> >
More information about the Linux-security-module-archive
mailing list