[PATCH] bpf, arm64: Do not audit capability check in do_jit()
patchwork-bot+netdevbpf at kernel.org
patchwork-bot+netdevbpf at kernel.org
Wed Dec 10 07:30:11 UTC 2025
Hello:
This patch was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast at kernel.org>:
On Thu, 4 Dec 2025 13:59:16 +0100 you wrote:
> Analogically to the x86 commit 881a9c9cb785 ("bpf: Do not audit
> capability check in do_jit()"), change the capable() call to
> ns_capable_noaudit() in order to avoid spurious SELinux denials in audit
> log.
>
> The commit log from that commit applies here as well:
> """
> The failure of this check only results in a security mitigation being
> applied, slightly affecting performance of the compiled BPF program. It
> doesn't result in a failed syscall, an thus auditing a failed LSM
> permission check for it is unwanted. For example with SELinux, it causes
> a denial to be reported for confined processes running as root, which
> tends to be flagged as a problem to be fixed in the policy. Yet
> dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
> desirable, as it would allow/silence also other checks - either going
> against the principle of least privilege or making debugging potentially
> harder.
>
> [...]
Here is the summary with links:
- bpf, arm64: Do not audit capability check in do_jit()
https://git.kernel.org/bpf/bpf/c/189e5deb944a
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
More information about the Linux-security-module-archive
mailing list