git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Ondrej Mosnacek <omosnace@redhat.com>
	Thu, 22 Jan 2026 14:13:03 +0000 (15:13 +0100)
committer	Andrew Morton <akpm@linux-foundation.org>
	Sun, 1 Feb 2026 00:16:07 +0000 (16:16 -0800)
commit	8924336531e21b187d724b5fdf5277269c9ec22c
tree	c6566876347955c691fde53d8d794502cc23b4c9	tree
parent	480e1d5c64bb14441f79f2eb9421d5e26f91ea3d	commit \| diff

ipc: don't audit capability check in ipc_permissions()

The IPC sysctls implement the ctl_table_root::permissions hook and they
override the file access mode based on the CAP_CHECKPOINT_RESTORE
capability, which is being checked regardless of whether any access is
actually denied or not, so if an LSM denies the capability, an audit
record may be logged even when access is in fact granted.

It wouldn't be viable to restructure the sysctl permission logic to only
check the capability when the access would be actually denied if it's not
granted. Thus, do the same as in net_ctl_permissions() (net/sysctl_net.c)
- switch from ns_capable() to ns_capable_noaudit(), so that the check
never emits an audit record.

Link: https://lkml.kernel.org/r/20260122141303.241133-1-omosnace@redhat.com
Fixes: 0889f44e2810 ("ipc: Check permissions for checkpoint_restart sysctls at open time")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Alexey Gladkov <legion@kernel.org>
Acked-by: Serge Hallyn <serge@hallyn.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

include/linux/capability.h		diff \| blob \| blame \| history
ipc/ipc_sysctl.c		diff \| blob \| blame \| history