The capability check can cause SELinux denial. For example, in ptp4l, setsockopt() with the SO_ATTACH_FILTER option raises sk_attach_filter() to run a bpf program. SELinux hooks into capable() calls and performs an additional check if the task's SELinux domain has permission to "use" the given capability. ptp4l_t already has CAP_BPF granted by SELinux, so if the function used bpf_capable() as most BPF code does, there would be no change needed in selinux-policy. Signed-off-by: Yauheni Kaliuta <ykaliuta@xxxxxxxxxx> --- v2: put the reasoning in the commit message --- include/linux/filter.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/filter.h b/include/linux/filter.h index a5f21dc3c432..3de96b1a736b 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -1100,7 +1100,7 @@ static inline bool bpf_jit_blinding_enabled(struct bpf_prog *prog) return false; if (!bpf_jit_harden) return false; - if (bpf_jit_harden == 1 && capable(CAP_SYS_ADMIN)) + if (bpf_jit_harden == 1 && bpf_capable()) return false; return true; -- 2.34.1
