[PATCH] ucount: check for CAP_SYS_RESOURCE using ns_capable_noaudit()

[Paul Moore]

On Tue, Jan 27, 2026 at 3:05 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
>
> On Tue, Jan 27, 2026 at 2:55 AM Serge E. Hallyn <serge at hallyn.com> wrote:
> >
> > On Mon, Jan 26, 2026 at 05:52:03PM -0500, Paul Moore wrote:
> > > On Thu, Jan 22, 2026 at 9:25 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
> > > >
> > > > The user.* sysctls implement the ctl_table_root::permissions hook and
> > > > they override the file access mode based on the CAP_SYS_RESOURCE
> > > > capability (at most rwx if capable, at most r-- if not). The capability
> > > > is being checked unconditionally, so if an LSM denies the capability, an
> > > > audit record may be logged even when access is in fact granted.
> > > >
> > > > Given the logic in the set_permissions() function in kernel/ucount.c and
> > > > the unfortunate way the permission checking is implemented, it doesn't
> > > > seem viable to avoid false positive denials by deferring the capability
> > > > check. Thus, do the same as in net_ctl_permissions() (net/sysctl_net.c)
> > > > - switch from ns_capable() to ns_capable_noaudit(), so that the check
> > > > never logs an audit record.
> > > >
> > > > Fixes: dbec28460a89 ("userns: Add per user namespace sysctls.")
> > > > Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> > > > ---
> > > >  kernel/ucount.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > Reviewed-by: Paul Moore <paul at paul-moore.com>
> >
> > Acked-by: Serge Hallyn <serge at hallyn.com>
> >
> > Looks good to me.  What tree should this go through?  Network?
>
> Andrew has already applied the two patches I posted into his
> mm-nonmm-unstable branch, so I assume they are set to go through his
> tree.

Andrew, any chance we can get a reply to these threads when you merge
a patch into your tree?

-- 
paul-moore.com