bpf: Do not audit capability check in do_jit()

WOnder93 · WOnder93 · commit 1ca34df19f0b · 2025-10-31T10:41:31.000+01:00
JIRA: https://issues.redhat.com/browse/RHEL-108805 Upstream Status: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git commit 881a9c9 Author: Ondrej Mosnacek <omosnace@redhat.com> Date: Tue Oct 21 14:27:58 2025 +0200 bpf: Do not audit capability check in do_jit() The failure of this check only results in a security mitigation being applied, slightly affecting performance of the compiled BPF program. It doesn't result in a failed syscall, an thus auditing a failed LSM permission check for it is unwanted. For example with SELinux, it causes a denial to be reported for confined processes running as root, which tends to be flagged as a problem to be fixed in the policy. Yet dontauditing or allowing CAP_SYS_ADMIN to the domain may not be desirable, as it would allow/silence also other checks - either going against the principle of least privilege or making debugging potentially harder. Fix it by changing it from capable() to ns_capable_noaudit(), which instructs the LSMs to not audit the resulting denials. Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326 Fixes: d4e89d2 ("x86/bpf: Call branch history clearing sequence on exit") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
@@ -2584,7 +2584,7 @@ st:			if (is_imm8(insn->off))
 			/* Update cleanup_addr */
 			ctx->cleanup_addr = proglen;
 			if (bpf_prog_was_classic(bpf_prog) &&
-			    !capable(CAP_SYS_ADMIN)) {
+			    !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
 				u8 *ip = image + addrs[i - 1];
 
 				if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))
