From nobody Fri Apr 17 23:07:34 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 86C2C2FCBFC for ; Thu, 12 Feb 2026 20:59:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770929969; cv=none; b=fuZfI5i6S86Q3NpJ6agl6iWNG3L1lZCWHk4xX0aWIoGDY4zFlLsfGQ41rJhgjk/l24NI//lgQ1zqkk/53NW2hZLDojY+V/g1O0EUuHZoCnmTwaDzQGEDzF5VVNASwQLk9MdtfL5SFGEtYTVZ5HHJEnGD3CPQaWLQACmsvEUhFpg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770929969; c=relaxed/simple; bh=GfXVbSIiCSvAfNsvXZFkw5pPzo6pnCYgQ7VhFaW9av4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=JAxSGkADW/DvAE+rgwuUP/zmNUbqbs4qpglzZytwLvPAEKKzp//+zymqBFkMH6fUNmwIJq0tGfcKhJhg36RJgLlYC5yCRiLLpOPw3dBw58tbKtLmvN5Pafisd/DQQtQLfSYrES9ZpXScyYqQERZ1UzlzWoAb3oD/YNPtYGqLkXE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=eBN3OgNQ; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=Az2hU/wp; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="eBN3OgNQ"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="Az2hU/wp" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1770929967; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1qRvoym6nLJZOIFftihpZCiMWAoHUET6JGe7MHQ2xs4=; b=eBN3OgNQ0TzuHJNu4Qkcx+id3TNZ4BnYIy+l15xD8atLCDgHOW3kmoYNHSIMHwMKK5itXP BvXVTPVoUjNekTDzxWmVneJAg2hayBMeXL93gwEEIgaZTYcHwtNXkpIedDkbGr/kxr5ojE s40PSanUzZhaITwTqrRJ2QfSCzN7pow= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-287-8Nzq8_ahNfCW7UlSwl0f9A-1; Thu, 12 Feb 2026 15:59:25 -0500 X-MC-Unique: 8Nzq8_ahNfCW7UlSwl0f9A-1 X-Mimecast-MFC-AGG-ID: 8Nzq8_ahNfCW7UlSwl0f9A_1770929964 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-43637c70876so159641f8f.2 for ; Thu, 12 Feb 2026 12:59:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1770929964; x=1771534764; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1qRvoym6nLJZOIFftihpZCiMWAoHUET6JGe7MHQ2xs4=; b=Az2hU/wpRDbv8sNYPDDkqR1bO3SAsUoAdD3h0n9HVTDFuSP+KGgclcavoPKQJGwY3T mlMHmkNXY2LjImus5i02wujNFS3zE2nC52MKMP6QfZBhVxomPhnzluJguj6+1sARo55C kOezZfmUhfh5figB3fi5K/Bu2uovtTw1Dg5zBXcpm6Rhks/spPiYT/keEpB+PRuAV0IG M2NSkdj3s0oQcP860ExRek3U1OrmKgulPvA1i5BS7eY4rFgBl1NxdXZFaBY4cNLzQ+56 Hueez8WygkOoqgMNgHWAijrXw3nBsW7M0YN31yWaquG2GDpUKrSS/SWY6k9fJ5LoCC3v +/ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770929964; x=1771534764; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=1qRvoym6nLJZOIFftihpZCiMWAoHUET6JGe7MHQ2xs4=; b=Lc4pmifpDKtcckHMYiARKRUrHl/NvHsk+lizApXf+1jeyCpRr9vfSdRaUAJoA6k92R TGSWl+hzDdUoy8Z1l8FhISzZFAEeBGad1e6pDh+W5iUBefkmdD0/H8ksGw4y9VYE4ght ukxsL3N3vNFUE0ZvJ0DMj/UB4UdUs24OtOGIl99nzzmgar+NL8qXnSVvBj6Vu/r9muS4 8rZJjQ5JaAiD5mJMVOvqE8Kdtibel/mVkK8Zmn3JLjyTnxrZ8e4U39cSxSOevBVG5mrQ 8JcQDRYdNo9A/PtulZEE+5mvB7Lv8ACiDy5ViGZoFcy+5al1Xer3YNpFf32rNup/gsnj eS9Q== X-Forwarded-Encrypted: i=1; AJvYcCXaAO9fk2uh9OdVA7t6ESukExIAZJIzOaDqJU3QTtbDkliqT0khOBumn+tFBPczyZBorD2deOIi0nZ0guI=@vger.kernel.org X-Gm-Message-State: AOJu0YzYqA9h7Q2t0UCyOxbBtJvjnU2qlMVEN2mzV0qC9ontlB1fI0MW gjoquIbrZInapQU/PZngKxgugPrnV4X4JyhYNVc9wd1pPYX5Qn3jnq5xE71jffViOJKgPFus/d5 RaXbH4shoz6GIEQpv73LcX1iQ6X7Xes33EGBMd4Q1idZfXp4VJEmfxKQNLs1UOvSBhA== X-Gm-Gg: AZuq6aJO29rkJwK0bItfZzwv2F15zX8qpKzywTJfewcC2jXR8cR0M8u1YHkh97hURfg d7SDJXu0qcz5gT+taXIOzWzgYfevsLx/tA8wdSovd0b8a+S3iDdw3AY+qR0RGtfEzJUxrMGIIEF W1WCTbPHEBiQExR43q/ifBdMwxxmIgs4f6m9Egc1c39XeFhLsDxhfzWyDk8NSYqHsWpOMsai0Nf T/XzdR89mBHAdfHbfdILx58z2oIJEB5lxVdrFguFIjqOq7ArO9aqlf/Jd0YAgllJKm8kRoMis4H U29FNt6+HPYw8NqGbIUADX9UjhxuY/x2grePFEGalL1S9xI5X9h3BZZoRCPu2zb6ZJFsVj9NUr+ ZSJx5aXoDpoKaOWhJlj/UTKc3DGWGRyPg9IojCC+Pe8HBbnjYsRKHETeZPg== X-Received: by 2002:a05:6000:2003:b0:435:8aa1:ff4d with SMTP id ffacd0b85a97d-43796aa67c4mr421860f8f.22.1770929963771; Thu, 12 Feb 2026 12:59:23 -0800 (PST) X-Received: by 2002:a05:6000:2003:b0:435:8aa1:ff4d with SMTP id ffacd0b85a97d-43796aa67c4mr421834f8f.22.1770929963268; Thu, 12 Feb 2026 12:59:23 -0800 (PST) Received: from stex1 (host-82-53-134-58.retail.telecomitalia.it. [82.53.134.58]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43796abd793sm465791f8f.25.2026.02.12.12.59.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Feb 2026 12:59:22 -0800 (PST) From: Stefano Garzarella To: netdev@vger.kernel.org Cc: Eric Dumazet , linux-kernel@vger.kernel.org, Bobby Eshleman , Jakub Kicinski , Stefano Garzarella , virtualization@lists.linux.dev, Paolo Abeni , "Michael S. Tsirkin" , Simon Horman , "David S. Miller" Subject: [PATCH net 1/2] vsock: fix child netns mode initialization Date: Thu, 12 Feb 2026 21:59:15 +0100 Message-ID: <20260212205916.97533-2-sgarzare@redhat.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260212205916.97533-1-sgarzare@redhat.com> References: <20260212205916.97533-1-sgarzare@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Stefano Garzarella When a new network namespace is created, vsock_net_init() correctly initializes the namespace's mode by reading the parent's `child_ns_mode` via vsock_net_child_mode(). However, the `child_ns_mode` of the new namespace was always hardcoded to VSOCK_NET_MODE_GLOBAL, regardless of its own mode. This means that if a parent namespace has `child_ns_mode` set to "local", the child namespace correctly gets mode "local", but its `child_ns_mode` is reset to "global". As a result, further nested namespaces will incorrectly get mode "global" instead of inheriting "local", breaking the expected propagation of the mode through nested namespaces. Fix this by initializing `child_ns_mode` to the namespace's own mode, so the setting propagates correctly through all levels of nesting. Fixes: eafb64f40ca4 ("vsock: add netns to vsock core") Cc: bobbyeshleman@meta.com Signed-off-by: Stefano Garzarella Reviewed-by: Bobby Eshleman --- net/vmw_vsock/af_vsock.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index 20ad2b2dc17b..3b629b4a0359 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -91,7 +91,8 @@ * - /proc/sys/net/vsock/ns_mode (read-only) reports the current namespa= ce's * mode, which is set at namespace creation and immutable thereafter. * - /proc/sys/net/vsock/child_ns_mode (writable) controls what mode fut= ure - * child namespaces will inherit when created. The default is "global". + * child namespaces will inherit when created. The initial value match= es + * the namespace's own ns_mode. * * Changing child_ns_mode only affects newly created namespaces, not the * current namespace or existing children. At namespace creation, ns_mode @@ -2912,7 +2913,7 @@ static void vsock_net_init(struct net *net) else net->vsock.mode =3D vsock_net_child_mode(current->nsproxy->net_ns); =20 - net->vsock.child_ns_mode =3D VSOCK_NET_MODE_GLOBAL; + net->vsock.child_ns_mode =3D net->vsock.mode; } =20 static __net_init int vsock_sysctl_init_net(struct net *net) --=20 2.53.0 From nobody Fri Apr 17 23:07:34 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D5B630E0E5 for ; Thu, 12 Feb 2026 20:59:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770929972; cv=none; b=RRjmDKWLVlMp9datkSEQcOd/kPSRjUATUCpi/Ci2UzqeUPiFBxOW5x8pxtU2lOB9aEAvHzUWYFiVImQnJKiVm84HDakrexoRMyOfaZh8uc/bS3D8n8cCu/FtQcgFl2GOLY7xKALMNM9Fmqs4LuezcY44H9Uuw7gpHLVpTWtcpKQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770929972; c=relaxed/simple; bh=2HJhD4jwEiQd+Sw0gop1LZRkZ9dv9Da9YU2irp8nJI0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=t0umvLyvX6RDyM82bXLoJ0bvk3UiMiM1ly3iEpzW+6gwb1pL3Jwla3yCL3MSNNLqdAiLLKas/s84gEw+whN8QqXRRtTjAghMcUACAp2sRXPEXTfqb6pTeOsh7iJ4Xf7+KwLME9OvBthTPZYPERCpRAFxRepOYCA7Se1KSIHTo0U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Hmb/rBZa; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=aJodiQqm; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Hmb/rBZa"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="aJodiQqm" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1770929970; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EDtloKc54TB42uRGUdYvHpL+cAu7dip36yXl2Un1+Yk=; b=Hmb/rBZaBHzqnrIpdrGEtz+31ZvCNphe/y8HRJMFrXNazHXpQZMkI18f2H2+m+JJ6Ko1AZ DzmZy+Q+LgmDGV0bD1EE6sFM0+sFjX8L10wIEPKZCqOD1Hwx68Dz/7aexl4dzexqC8l7Sp ENF071S5SLUbexVtzQZBzWgsmzkYxoM= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-418-lbaSHAbgPq-g-oD1KAMNPA-1; Thu, 12 Feb 2026 15:59:29 -0500 X-MC-Unique: lbaSHAbgPq-g-oD1KAMNPA-1 X-Mimecast-MFC-AGG-ID: lbaSHAbgPq-g-oD1KAMNPA_1770929968 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-48069a43217so2017405e9.1 for ; Thu, 12 Feb 2026 12:59:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1770929968; x=1771534768; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EDtloKc54TB42uRGUdYvHpL+cAu7dip36yXl2Un1+Yk=; b=aJodiQqmaPN4wHiXG/PenXixnZslUo33SQzmS+S5QhmxK9Q2vGSydnS/qsYvG81r+N 2kRwkrUmW6WHIK989q/6KO28dt4ZYBOOqijhBwyrHu6QSUbvhDtJLScDDZX1/iFhBdug qYZRciNAmLlldtBe9Ldv/RyWgKyWrxM/v/X6+mH285glPeboB9706H8uNDwKEHuXOOAJ wjABoZFSlG+EfN5LhaRVp7w5HkMA233jNEFX4X+Sm2768oYMyy5xsdyyR2npMnmo1GPR 637C1NoWp8EjSehmTbZiJg3Ti1QU5vz3ydZ8c1dW/aImxHIdO0SFiQ1Eq2dqsk9b6RDI 5HFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770929968; x=1771534768; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=EDtloKc54TB42uRGUdYvHpL+cAu7dip36yXl2Un1+Yk=; b=Aazd4qHVCJlFdtAC+7OGPvgv61vkIiqcdkFhdnR6AadYODQc8AiPkUm/lN0i0IlUXX Y2q4YIT/rQa/yxFhgc87M4KreIYQjZHcwYas4TdZ7xRx8ukHYYbUJwjz2s37AgRUxnvQ FSgI/tehGnaGE18EzKU+pZU3Mw6AYLYltWSsSg0oZp2GkrO9BW+xQPSGhqsQ64wIr27G 7PMXcUFW1bEg1H/h8InOh5R2AanOJlxPd/Oex4z13+IqQbi+GmK/X1L7gTJeYsY2881+ 9C8IDcFVFfo1O6Io7CVmcn6mc/y7m1h8JSMxdRwhTNdDN20ubu0950kYeQPPSJYTyazZ r+3A== X-Forwarded-Encrypted: i=1; AJvYcCVtT94OmpgW3mFYAOZDEWjw21n6oSnhpyd4bw/2KlHUoTX8hfLLYN1+LyGWKZ1kN2dbE8Hd6faJ/DQGe0M=@vger.kernel.org X-Gm-Message-State: AOJu0YxZKK8ks/mIxKGxmUjHWCnqNMyGeeIbcm8D1VyrEBLNswaHbuhx csitALVckk4BeidHyWsBRe21sMjwBri2YqLzmFJMXktDMHHPnZWW1gaRJBiY/8tRA2GXkibMRV0 +8hZBhYzfkMO254qr2Np/NOcYHtM/7p2MSk6T2rlTAKJvYvQiGkqJaHf23yyO0LuWeg== X-Gm-Gg: AZuq6aJaxJEBKq2oNg2G1aRggQ8tzZDd/46NkvFBuQJmh8jlwALnCYpuOohQ1lGOfp7 MDdBIUPBmgXTXbrADEWjqMk9zsGdvRsYF2VNht0vmst7XaikbToLw7TtZ5G8ywN9Ug4opVRDxMv oU3Q3vIUrBuQRrHqaFHhByS3Htnsf/K9V26nmdChdmFHKrUqZDxq7+fFOmetDpaA3ICfVnnXDI5 He4vzV52jZ3S35yvnO7BOENHphL4xBumo2fAsMjRPn5/0wjIzt+dkjN9NDBfzOHHPJMkdDcBocx GzHJ7j7mNkuG3cGYZ0WcifB/5WtbEf0gRtfRop8QnPJl3nXLecNwL6jzs2TsdBRvS0iAMTDs3Sp rng12A3EQvOH7A7eCcKjzP3QXsuRnaBZmgwrFZJZF9gzk2/229ZV0PLmFPQ== X-Received: by 2002:a05:600c:444d:b0:480:1b65:b741 with SMTP id 5b1f17b1804b1-48370e305e6mr6147285e9.15.1770929967909; Thu, 12 Feb 2026 12:59:27 -0800 (PST) X-Received: by 2002:a05:600c:444d:b0:480:1b65:b741 with SMTP id 5b1f17b1804b1-48370e305e6mr6146965e9.15.1770929967362; Thu, 12 Feb 2026 12:59:27 -0800 (PST) Received: from stex1 (host-82-53-134-58.retail.telecomitalia.it. [82.53.134.58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483709fdd39sm5618975e9.0.2026.02.12.12.59.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Feb 2026 12:59:26 -0800 (PST) From: Stefano Garzarella To: netdev@vger.kernel.org Cc: Eric Dumazet , linux-kernel@vger.kernel.org, Bobby Eshleman , Jakub Kicinski , Stefano Garzarella , virtualization@lists.linux.dev, Paolo Abeni , "Michael S. Tsirkin" , Simon Horman , "David S. Miller" Subject: [PATCH net 2/2] vsock: prevent child netns mode switch from local to global Date: Thu, 12 Feb 2026 21:59:16 +0100 Message-ID: <20260212205916.97533-3-sgarzare@redhat.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260212205916.97533-1-sgarzare@redhat.com> References: <20260212205916.97533-1-sgarzare@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Stefano Garzarella A "local" namespace can change its `child_ns_mode` sysctl to "global", allowing nested namespaces to access global CIDs. This can be exploited by an unprivileged user who gained CAP_NET_ADMIN through a user namespace. Prevent this by rejecting writes that attempt to set `child_ns_mode` to "global" when the current namespace's mode is "local". Fixes: eafb64f40ca4 ("vsock: add netns to vsock core") Cc: bobbyeshleman@meta.com Signed-off-by: Stefano Garzarella Reviewed-by: Bobby Eshleman --- net/vmw_vsock/af_vsock.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index 3b629b4a0359..9880756d9eff 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -95,8 +95,9 @@ * the namespace's own ns_mode. * * Changing child_ns_mode only affects newly created namespaces, not the - * current namespace or existing children. At namespace creation, ns_mode - * is inherited from the parent's child_ns_mode. + * current namespace or existing children. A "local" namespace cannot set + * child_ns_mode to "global". At namespace creation, ns_mode is inherited + * from the parent's child_ns_mode. * * The init_net mode is "global" and cannot be modified. * @@ -2844,8 +2845,16 @@ static int vsock_net_child_mode_string(const struct = ctl_table *table, int write, if (ret) return ret; =20 - if (write) + if (write) { + /* Prevent a "local" namespace from escalating to "global", + * which would give nested namespaces access to global CIDs. + */ + if (vsock_net_mode(net) =3D=3D VSOCK_NET_MODE_LOCAL && + new_mode =3D=3D VSOCK_NET_MODE_GLOBAL) + return -EPERM; + vsock_net_set_child_mode(net, new_mode); + } =20 return 0; } --=20 2.53.0