[PATCH] ucount: check for CAP_SYS_RESOURCE using ns_capable_noaudit()
Ondrej Mosnacek
omosnace at redhat.com
Tue Jan 27 08:05:06 UTC 2026
On Tue, Jan 27, 2026 at 2:55 AM Serge E. Hallyn <serge at hallyn.com> wrote:
>
> On Mon, Jan 26, 2026 at 05:52:03PM -0500, Paul Moore wrote:
> > On Thu, Jan 22, 2026 at 9:25 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
> > >
> > > The user.* sysctls implement the ctl_table_root::permissions hook and
> > > they override the file access mode based on the CAP_SYS_RESOURCE
> > > capability (at most rwx if capable, at most r-- if not). The capability
> > > is being checked unconditionally, so if an LSM denies the capability, an
> > > audit record may be logged even when access is in fact granted.
> > >
> > > Given the logic in the set_permissions() function in kernel/ucount.c and
> > > the unfortunate way the permission checking is implemented, it doesn't
> > > seem viable to avoid false positive denials by deferring the capability
> > > check. Thus, do the same as in net_ctl_permissions() (net/sysctl_net.c)
> > > - switch from ns_capable() to ns_capable_noaudit(), so that the check
> > > never logs an audit record.
> > >
> > > Fixes: dbec28460a89 ("userns: Add per user namespace sysctls.")
> > > Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> > > ---
> > > kernel/ucount.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > Reviewed-by: Paul Moore <paul at paul-moore.com>
>
> Acked-by: Serge Hallyn <serge at hallyn.com>
>
> Looks good to me. What tree should this go through? Network?
Andrew has already applied the two patches I posted into his
mm-nonmm-unstable branch, so I assume they are set to go through his
tree.
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/log/?h=mm-nonmm-unstable
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
More information about the Linux-security-module-archive
mailing list