[PATCH 6.17 004/563] pid: use ns_capable_noaudit() when determining net sysctl permissions

Greg Kroah-Hartman gregkh at linuxfoundation.org
Mon Oct 13 14:37:45 UTC 2025 

6.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christian Göttsche <cgzones at googlemail.com>

[ Upstream commit b9cb7e59ac4ae68940347ebfc41e0436d32d3c6e ]

The capability check should not be audited since it is only being used
to determine the inode permissions. A failed check does not indicate a
violation of security policy but, when an LSM is enabled, a denial audit
message was being generated.

The denial audit message can either lead to the capability being
unnecessarily allowed in a security policy, or being silenced potentially
masking a legitimate capability check at a later point in time.

Similar to commit d6169b0206db ("net: Use ns_capable_noaudit() when
determining net sysctl permissions")

Fixes: 7863dcc72d0f ("pid: allow pid_max to be set per pid namespace")
CC: Christian Brauner <brauner at kernel.org>
CC: linux-security-module at vger.kernel.org
CC: selinux at vger.kernel.org
Signed-off-by: Christian Göttsche <cgzones at googlemail.com>
Acked-by: Serge Hallyn <serge at hallyn.com>
Reviewed-by: Paul Moore <paul at paul-moore.com>
Signed-off-by: Christian Brauner <brauner at kernel.org>
Signed-off-by: Sasha Levin <sashal at kernel.org>
---
 kernel/pid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/pid.c b/kernel/pid.c
index c45a28c16cd25..d94ce02505012 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -680,7 +680,7 @@ static int pid_table_root_permissions(struct ctl_table_header *head,
 		container_of(head->set, struct pid_namespace, set);
 	int mode = table->mode;
 
-	if (ns_capable(pidns->user_ns, CAP_SYS_ADMIN) ||
+	if (ns_capable_noaudit(pidns->user_ns, CAP_SYS_ADMIN) ||
 	    uid_eq(current_euid(), make_kuid(pidns->user_ns, 0)))
 		mode = (mode & S_IRWXU) >> 6;
 	else if (in_egroup_p(make_kgid(pidns->user_ns, 0)))
-- 
2.51.0

More information about the Linux-security-module-archive mailing list