[PATCH v2] x86/bpf: do not audit capability check in do_jit()
patchwork-bot+netdevbpf at kernel.org
patchwork-bot+netdevbpf at kernel.org
Wed Oct 22 01:30:06 UTC 2025
Hello:
This patch was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast at kernel.org>:
On Tue, 21 Oct 2025 14:27:58 +0200 you wrote:
> The failure of this check only results in a security mitigation being
> applied, slightly affecting performance of the compiled BPF program. It
> doesn't result in a failed syscall, an thus auditing a failed LSM
> permission check for it is unwanted. For example with SELinux, it causes
> a denial to be reported for confined processes running as root, which
> tends to be flagged as a problem to be fixed in the policy. Yet
> dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
> desirable, as it would allow/silence also other checks - either going
> against the principle of least privilege or making debugging potentially
> harder.
>
> [...]
Here is the summary with links:
- [v2] x86/bpf: do not audit capability check in do_jit()
https://git.kernel.org/bpf/bpf/c/881a9c9cb785
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
More information about the Linux-security-module-archive
mailing list