From nobody Sun Feb 8 01:51:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 534643346B8 for ; Thu, 22 Jan 2026 14:13:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769091191; cv=none; b=kA0iRJLEnRU7ji0+lQMGeK4j1lDvl8UJHWtWS7kZilqeuEbuRqEC4rVGBspgcdXf+SBQaXBYVFy1sPYNAh68CUeHLVtG1J1uuU64a0k7nq3V2xeNaFQkX1LbnAL4UcjmHhVNSHjZgWBBw9R/3bWQIdeHHbQ/v45R9lrjLcR1MbE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769091191; c=relaxed/simple; bh=Mn21BPD3AuBamNBIQ/yf9Rn2jlT2v4WIxJAUKQ0U16g=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=VMyMKclyPQehCjaN5A/cybTC29kLid/yPWxOUkpeHhOuGbKbz73TgAXAC/10JOOZUfiGZ/iqo7pdmuHVpwp5EwNCaXvUKHjy0JaSDk6h15X5Br1IDi5l0H1bfYiIf6iaG77DUF++1/Y0/DzZLUgC2OFcSTmFiyC2zmrsRsj2tJU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=LYdKXY95; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=fmFIP7Yi; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="LYdKXY95"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="fmFIP7Yi" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1769091188; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=5RQjD78hKqWJwoQ+yeMvpqjICnn41Udh857/CjWOTDc=; b=LYdKXY95iGOZXnDAKiDGlOibhqK3WYAtA1r8JLWpDVXPeMvh6ojSTIlMUxZapCN1aPrHAX lkbOcoc0jDx2H8wF4XTTo/47/60hE2YPN2819ZP3jNGpOscEbxPPh8f3r83Ipt3iIkiL+X 4+FrqXbK3PUQdgonR5ZRKL2pvMiIQRg= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-371-qa7k-wkXNQq1ARn9YE9moQ-1; Thu, 22 Jan 2026 09:13:06 -0500 X-MC-Unique: qa7k-wkXNQq1ARn9YE9moQ-1 X-Mimecast-MFC-AGG-ID: qa7k-wkXNQq1ARn9YE9moQ_1769091185 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-432c05971c6so812626f8f.1 for ; Thu, 22 Jan 2026 06:13:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1769091185; x=1769695985; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=5RQjD78hKqWJwoQ+yeMvpqjICnn41Udh857/CjWOTDc=; b=fmFIP7Yi7ikX9skVtqwbqr2c8en8VfPolayNiXIMd1NOFCIx30zA2jbx2ys2TFnpc/ UFAoNduXyxm2/7QzTIozaEiE8T/JQnbJvVPA0BgcJ/IK9kt4mn5XUXYWV4YcJ+0x369s sX47RTKu/nwf/CCljiwiblIlXPQHdOxXNYWMhEGtehca5iD2tqm6LXj9Ti9gDpIT3zTz c5ozbe9pAQ0nI2w/ANanjUm+j+voCUBMQFS+QgMtMyj/3mNPtd0YP0mttwRli4nJrGY5 /GeeDZ1DI6gGVgEtKy7+5boi1DwU/Zn79Ye0mJVUU0ZmGjj0HCyzUVTNb95XNLWrp//l Rkyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769091185; x=1769695985; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5RQjD78hKqWJwoQ+yeMvpqjICnn41Udh857/CjWOTDc=; b=SwUZt8g3DUhH2UDbI4KYi1quySO5XNMdl6D9A4pZIA4mBS07qD4pna0V029TKB57nW aBiKE7dQ8fj75v3LGfvg+rmnUjREOYXbpOcH9wJGNVAUNvzhJGKtnZA/u710FvH8M19B ix/xumAxd62WBlVgRb2o2QwjRjWqIK8JGJi8z+vyYqyCg+t1Ii9lo9jAk9hBRGmrGIFN 2qxUpFcTaTw3xyms53P+HOSziLBqlB3yH/uDVqyfeJmoXu7+0FlVuMxCGeZ9zbpF9qeS vf16ZQVEdYiM6GrFIwKUxQAfEdwrIorC2+ypOvNndv5RsGCJSf+CH3m/jReeW4fbPBoQ XfiQ== X-Forwarded-Encrypted: i=1; AJvYcCUsnadUAFeIlxKPZ16t5o2r7V7xpXesyODLG9+2a6+wA1p27vFlH6wmQcPgLga4ERHNT5IPVlTmnAAiGWI=@vger.kernel.org X-Gm-Message-State: AOJu0YwNoWizgPXfdKYKjyZ3Z7f8vj0ImvSMN4RCtK1QCXDdjNoDJnPc dTrLQo4cllPq0tGHue3CrIyOgLfbai6RznbdKVl47gwiSwmSW/i1qTEGNgAJlsqwH5q+tG6xHxP H4WCWqEHOjQQFQ+iVlmEwxMF3tOAr5VDSBz6PYHCQoa+HWfFHCJBvrDM5JeDhbRybgQ== X-Gm-Gg: AZuq6aJuCiNyFRLryamHOXxpkmOhvyFK8OXzXeSENwzfwjgkMiu8rB7TdFFQkA8EVvp UbZVb8NfQtRrRGhqw7zjqL60gjlf06Pi2oHT59r15+dmdja7c5w5izQ1q8ga22DmEmyig92OVpT bwZdCWH5Wakovx0O0SgBYVNbZrUeR8Z99LG82dDlWiGenuacY57J+TUxkw6EZEc3t4gLzIef6Em rTXNelZN0vYYzz7baDJlvzARE0/1NPWpCYafYkTYyLXhmp2e4JfXBC7iB4y8qx3qgIFE83Y7DNA KT9nH56+18A1LmMVQoPG2QQXK6vjkpN/8k5Bs0HcWv1R+GAU8w0FGn77gRttU4p/ilY= X-Received: by 2002:a05:6000:420d:b0:431:de5:93c7 with SMTP id ffacd0b85a97d-435a5f5ccfdmr6243336f8f.2.1769091185002; Thu, 22 Jan 2026 06:13:05 -0800 (PST) X-Received: by 2002:a05:6000:420d:b0:431:de5:93c7 with SMTP id ffacd0b85a97d-435a5f5ccfdmr6243286f8f.2.1769091184544; Thu, 22 Jan 2026 06:13:04 -0800 (PST) Received: from fedora ([213.175.46.86]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43596090493sm17643302f8f.25.2026.01.22.06.13.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jan 2026 06:13:04 -0800 (PST) From: Ondrej Mosnacek To: Andrew Morton , "Eric W . Biederman" Cc: Alexey Gladkov , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH] ipc: don't audit capability check in ipc_permissions() Date: Thu, 22 Jan 2026 15:13:03 +0100 Message-ID: <20260122141303.241133-1-omosnace@redhat.com> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The IPC sysctls implement the ctl_table_root::permissions hook and they override the file access mode based on the CAP_CHECKPOINT_RESTORE capability, which is being checked regardless of whether any access is actually denied or not, so if an LSM denies the capability, an audit record may be logged even when access is in fact granted. It wouldn't be viable to restructure the sysctl permission logic to only check the capability when the access would be actually denied if it's not granted. Thus, do the same as in net_ctl_permissions() (net/sysctl_net.c) - switch from ns_capable() to ns_capable_noaudit(), so that the check never emits an audit record. Fixes: 0889f44e2810 ("ipc: Check permissions for checkpoint_restart sysctls= at open time") Signed-off-by: Ondrej Mosnacek Acked-by: Alexey Gladkov Acked-by: Serge Hallyn --- include/linux/capability.h | 6 ++++++ ipc/ipc_sysctl.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/include/linux/capability.h b/include/linux/capability.h index 1fb08922552c7..37db92b3d6f89 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -203,6 +203,12 @@ static inline bool checkpoint_restore_ns_capable(struc= t user_namespace *ns) ns_capable(ns, CAP_SYS_ADMIN); } =20 +static inline bool checkpoint_restore_ns_capable_noaudit(struct user_names= pace *ns) +{ + return ns_capable_noaudit(ns, CAP_CHECKPOINT_RESTORE) || + ns_capable_noaudit(ns, CAP_SYS_ADMIN); +} + /* audit system wants to get cap info from files as well */ int get_vfs_caps_from_disk(struct mnt_idmap *idmap, const struct dentry *dentry, diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c index 15b17e86e198c..9b087ebeb643b 100644 --- a/ipc/ipc_sysctl.c +++ b/ipc/ipc_sysctl.c @@ -214,7 +214,7 @@ static int ipc_permissions(struct ctl_table_header *hea= d, const struct ctl_table if (((table->data =3D=3D &ns->ids[IPC_SEM_IDS].next_id) || (table->data =3D=3D &ns->ids[IPC_MSG_IDS].next_id) || (table->data =3D=3D &ns->ids[IPC_SHM_IDS].next_id)) && - checkpoint_restore_ns_capable(ns->user_ns)) + checkpoint_restore_ns_capable_noaudit(ns->user_ns)) mode =3D 0666; else #endif --=20 2.52.0