bpf: Do not audit capability check in do_jit()

[ Upstream commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 ]

The failure of this check only results in a security mitigation being
applied, slightly affecting performance of the compiled BPF program. It
doesn't result in a failed syscall, an thus auditing a failed LSM
permission check for it is unwanted. For example with SELinux, it causes
a denial to be reported for confined processes running as root, which
tends to be flagged as a problem to be fixed in the policy. Yet
dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
desirable, as it would allow/silence also other checks - either going
against the principle of least privilege or making debugging potentially
harder.

Fix it by changing it from capable() to ns_capable_noaudit(), which
instructs the LSMs to not audit the resulting denials.

Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326
Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index 9a861ac77f8eb4e2c5775a9d52e7756a8c554cad..8cbc26081bdb2760c88c5638d64fb44ada854053 100644 (file)
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -2453,7 +2453,7 @@ emit_jmp:
                        /* Update cleanup_addr */
                        ctx->cleanup_addr = proglen;
                        if (bpf_prog_was_classic(bpf_prog) &&
-                           !capable(CAP_SYS_ADMIN)) {
+                           !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
                                u8 *ip = image + addrs[i - 1];
 
                                if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))