When qrtr is loaded as module, qrtr-ns runs from SELinux kmod_t domain. On targets using upstream SELinux policies, this domain does not receive CAP_NET_ADMIN, which prevents it from binding control port even though qrtr-ns is a trusted system component. Granting kmod_t the CAP_NET_ADMIN capability in policy is possible, but not desirable, as kmod_t is not expected to perform networking operations and widening its capability set is discouraged. To address this in a contained way within qrtr, extend the control port permission check to allow binding when either: - the process has CAP_NET_ADMIN, or - the process belongs to GLOBAL_ROOT_GID (root-equivalent tasks) This permits qrtr-ns to successfully bind its control port in kmod_t restricted environments without broadening SELinux capability assignments. Co-developed-by: Deepak Kumar Singh Signed-off-by: Deepak Kumar Singh Signed-off-by: Vishnu Santhosh --- net/qrtr/af_qrtr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c index dab839f61ee93b876021d904ae6b8dca8ed43745..b0e252c16f156c05973988fbdf317a149ad9840d 100644 --- a/net/qrtr/af_qrtr.c +++ b/net/qrtr/af_qrtr.c @@ -8,6 +8,7 @@ #include #include /* For TIOCINQ/OUTQ */ #include +#include #include #include @@ -738,7 +739,8 @@ static int qrtr_port_assign(struct qrtr_sock *ipc, int *port) if (!*port) { rc = xa_alloc(&qrtr_ports, port, ipc, QRTR_EPH_PORT_RANGE, GFP_KERNEL); - } else if (*port < QRTR_MIN_EPH_SOCKET && !capable(CAP_NET_ADMIN)) { + } else if (*port < QRTR_MIN_EPH_SOCKET && !(capable(CAP_NET_ADMIN) || + in_egroup_p(GLOBAL_ROOT_GID))) { rc = -EACCES; } else if (*port == QRTR_PORT_CTRL) { rc = xa_insert(&qrtr_ports, 0, ipc, GFP_KERNEL); --- base-commit: f14faaf3a1fb3b9e4cf2e56269711fb85fba9458 change-id: 20260205-qrtr-control-port-access-permission-bfea19994a58 Best regards, -- Vishnu Santhosh