Merge: [rhel-9] bpf: Do not audit capability check in do_jit()

CKI KWF Bot · CKI KWF Bot · commit 144e2bc70023 · 2025-11-12T11:20:07.000Z
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/7544 JIRA: https://issues.redhat.com/browse/RHEL-105376 Backport one commit that silences CAP_SYS_ADMIN denials when BPF decides whether to apply a Spectre mitigation. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Approved-by: Viktor Malik <vmalik@redhat.com> Approved-by: Gregory Bell <grbell@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: CKI GitLab Kmaint Pipeline Bot <26919896-cki-kmaint-pipeline-bot@users.noreply.gitlab.com>
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
@@ -2450,7 +2450,7 @@ st:			if (is_imm8(insn->off))
 			/* Update cleanup_addr */
 			ctx->cleanup_addr = proglen;
 			if (bpf_prog_was_classic(bpf_prog) &&
-			    !capable(CAP_SYS_ADMIN)) {
+			    !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
 				u8 *ip = image + addrs[i - 1];
 
 				if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))
