]> Gentwo Git Trees - linux/.git/commit
gentwo / linux / .git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f99b391) | patch
pid: use ns_capable_noaudit() when determining net sysctl permissions
authorChristian Göttsche <cgzones@googlemail.com>
Wed, 10 Sep 2025 19:26:05 +0000 (21:26 +0200)
committerChristian Brauner <brauner@kernel.org>
Fri, 19 Sep 2025 11:08:31 +0000 (13:08 +0200)
commitb9cb7e59ac4ae68940347ebfc41e0436d32d3c6e
tree0db9b37528540c1421f6bd4b5614501a3b1c9ae6tree | snapshot
parentf99b3917789d83ea89b24b722d784956f8289f45commit | diff
pid: use ns_capable_noaudit() when determining net sysctl permissions

The capability check should not be audited since it is only being used
to determine the inode permissions. A failed check does not indicate a
violation of security policy but, when an LSM is enabled, a denial audit
message was being generated.

The denial audit message can either lead to the capability being
unnecessarily allowed in a security policy, or being silenced potentially
masking a legitimate capability check at a later point in time.

Similar to commit d6169b0206db ("net: Use ns_capable_noaudit() when
determining net sysctl permissions")

Fixes: 7863dcc72d0f ("pid: allow pid_max to be set per pid namespace")
CC: Christian Brauner <brauner@kernel.org>
CC: linux-security-module@vger.kernel.org
CC: selinux@vger.kernel.org
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
kernel/pid.c diff | blob | blame | history
Development tree.