Skip to content

Commit 09a2aac

Browse files
author
CKI KWF Bot
committed
Merge: [rhel-10] bpf: Do not audit capability check in do_jit()
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/1693 JIRA: https://issues.redhat.com/browse/RHEL-108805 Backport one commit that silences CAP_SYS_ADMIN denials when BPF decides whether to apply a Spectre mitigation. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Approved-by: Viktor Malik <vmalik@redhat.com> Approved-by: Gregory Bell <grbell@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: CKI GitLab Kmaint Pipeline Bot <26919896-cki-kmaint-pipeline-bot@users.noreply.gitlab.com>
2 parents 9a797f7 + 1ca34df commit 09a2aac

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

arch/x86/net/bpf_jit_comp.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2584,7 +2584,7 @@ st: if (is_imm8(insn->off))
25842584
/* Update cleanup_addr */
25852585
ctx->cleanup_addr = proglen;
25862586
if (bpf_prog_was_classic(bpf_prog) &&
2587-
!capable(CAP_SYS_ADMIN)) {
2587+
!ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
25882588
u8 *ip = image + addrs[i - 1];
25892589

25902590
if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))

0 commit comments

Comments
 (0)