[PATCH] ucount: check for CAP_SYS_RESOURCE using ns_capable_noaudit()
Serge E. Hallyn
serge at hallyn.com
Tue Jan 27 01:47:15 UTC 2026
On Mon, Jan 26, 2026 at 05:52:03PM -0500, Paul Moore wrote:
> On Thu, Jan 22, 2026 at 9:25 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
> >
> > The user.* sysctls implement the ctl_table_root::permissions hook and
> > they override the file access mode based on the CAP_SYS_RESOURCE
> > capability (at most rwx if capable, at most r-- if not). The capability
> > is being checked unconditionally, so if an LSM denies the capability, an
> > audit record may be logged even when access is in fact granted.
> >
> > Given the logic in the set_permissions() function in kernel/ucount.c and
> > the unfortunate way the permission checking is implemented, it doesn't
> > seem viable to avoid false positive denials by deferring the capability
> > check. Thus, do the same as in net_ctl_permissions() (net/sysctl_net.c)
> > - switch from ns_capable() to ns_capable_noaudit(), so that the check
> > never logs an audit record.
> >
> > Fixes: dbec28460a89 ("userns: Add per user namespace sysctls.")
> > Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> > ---
> > kernel/ucount.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Reviewed-by: Paul Moore <paul at paul-moore.com>
Acked-by: Serge Hallyn <serge at hallyn.com>
Looks good to me. What tree should this go through? Network?
More information about the Linux-security-module-archive
mailing list