Unverified Commit b9cb7e59 authored Sep 10, 2025 by Christian Göttsche Committed by Christian Brauner Sep 19, 2025

pid: use ns_capable_noaudit() when determining net sysctl permissions



The capability check should not be audited since it is only being used
to determine the inode permissions. A failed check does not indicate a
violation of security policy but, when an LSM is enabled, a denial audit
message was being generated.

The denial audit message can either lead to the capability being
unnecessarily allowed in a security policy, or being silenced potentially
masking a legitimate capability check at a later point in time.

Similar to commit d6169b02 ("net: Use ns_capable_noaudit() when
determining net sysctl permissions")

Fixes: 7863dcc7 ("pid: allow pid_max to be set per pid namespace")
CC: Christian Brauner <brauner@kernel.org>
CC: linux-security-module@vger.kernel.org
CC: selinux@vger.kernel.org
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

parent f99b3917

kernel/pid.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -680,7 +680,7 @@ static int pid_table_root_permissions(struct ctl_table_header *head,
		container_of(head->set, struct pid_namespace, set);
		int mode = table->mode;

		if (ns_capable(pidns->user_ns, CAP_SYS_ADMIN) \|\|
		if (ns_capable_noaudit(pidns->user_ns, CAP_SYS_ADMIN) \|\|
		uid_eq(current_euid(), make_kuid(pidns->user_ns, 0)))
		mode = (mode & S_IRWXU) >> 6;
		else if (in_egroup_p(make_kgid(pidns->user_ns, 0)))