On Wed, Aug 06, 2025 at 04:31:05PM +0200, Ondrej Mosnacek wrote: > Don't check against the overloaded CAP_SYS_ADMINin do_jit(), but instead > use bpf_capable(), which checks against the more granular CAP_BPF first. > Going straight to CAP_SYS_ADMIN may cause unnecessary audit log spam > under SELinux, as privileged domains using BPF would usually only be > allowed CAP_BPF and not CAP_SYS_ADMIN. > > Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326 > Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit") > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> So this seems correct, *provided* that we consider it within the purview of CAP_BPF to be able to avoid clearing the branch history buffer. I suspect that's the case, but it might warrant discussion. Reviewed-by: Serge Hallyn <serge@xxxxxxxxxx> > --- > arch/x86/net/bpf_jit_comp.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c > index 15672cb926fc1..2a825e5745ca1 100644 > --- a/arch/x86/net/bpf_jit_comp.c > +++ b/arch/x86/net/bpf_jit_comp.c > @@ -2591,8 +2591,7 @@ emit_jmp: > seen_exit = true; > /* Update cleanup_addr */ > ctx->cleanup_addr = proglen; > - if (bpf_prog_was_classic(bpf_prog) && > - !capable(CAP_SYS_ADMIN)) { > + if (bpf_prog_was_classic(bpf_prog) && !bpf_capable()) { > u8 *ip = image + addrs[i - 1]; > > if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog)) > -- > 2.50.1 >
