[PATCH] ipc: don't audit capability check in ipc_permissions()
Paul Moore
paul at paul-moore.com
Mon Jan 26 22:50:12 UTC 2026
On Thu, Jan 22, 2026 at 9:56 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
>
> The IPC sysctls implement the ctl_table_root::permissions hook and
> they override the file access mode based on the CAP_CHECKPOINT_RESTORE
> capability, which is being checked regardless of whether any access is
> actually denied or not, so if an LSM denies the capability, an audit
> record may be logged even when access is in fact granted.
>
> It wouldn't be viable to restructure the sysctl permission logic to only
> check the capability when the access would be actually denied if it's
> not granted. Thus, do the same as in net_ctl_permissions()
> (net/sysctl_net.c) - switch from ns_capable() to ns_capable_noaudit(),
> so that the check never emits an audit record.
>
> Fixes: 0889f44e2810 ("ipc: Check permissions for checkpoint_restart sysctls at open time")
> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> ---
> include/linux/capability.h | 6 ++++++
> ipc/ipc_sysctl.c | 2 +-
> 2 files changed, 7 insertions(+), 1 deletion(-)
This change seems reasonable to me, but I would make sure Serge has a
chance to review/ACK this patch as it has a capability impact.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list