From nobody Mon Jun 8 19:36:01 2026 Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84EEF3B83FB for ; Wed, 27 May 2026 07:08:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779865712; cv=none; b=FWBJ/OVA2gEz9xAWNdU5kK9G8XHlSxr9bK1Lq3hh0SV5d53Nwuh9teOqtc5RMPkgLuFdH6+rq8T6c/+JK3o2soHLPiGJrph3Aq0rmZTeFOdUG9tTYSabJik2oFjtrT/gGeBkGqzebJ8vUEb7YuAMvtGImMzwKYvJallkcgxNvI8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779865712; c=relaxed/simple; bh=nF3n2ThfGpO8RdPGXZ/I2wq7DrqFcx0MWM75XEXcINc=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=fdH6Xy4T44N67cY79TKfrQkveoKQdEpTUjlRAwUa7+frKCCkH9106rPzTAtQrF62QL28ObK3WRwGNj3nsURFVT7j1iWQLiCVB7h95VqOatkqNng3Xtw9Dl+Yrs2pZJaF8i2bxMD7qTEDu8LJQfuY9ctJ2HoWKGEcisaVkbAzYbI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XlQQSk7J; arc=none smtp.client-ip=209.85.214.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XlQQSk7J" Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2ba21d32776so83764085ad.2 for ; Wed, 27 May 2026 00:08:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779865711; x=1780470511; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=S1HoGkmmVirBZLUAZ5b16k6gJacJNZCaTPEXJ7dkR0Y=; b=XlQQSk7JALkddYkKlN7MVRnwQXE4NCbT1CMlyJCm1NBPIApP42EGxn7X+35mpmMVX6 tuAxtZk3mS4wKielM3t8lAJN5oeBHlCxAaV3pEp0XjfBGZSifybXnSVrVnJ1dscSsElN 013ko/2rl0G75IYMZ+FNaabA4/wobu4lWTwtsCym6ooUzQFua0BIVc8TNudC4J0LnbhL 7hc3LDJ7/avXJzd7AlwT4rTJn/Apd/U24LWh4G4YjAxayoGjhHuCFuEC1io5jhiECU4S xhGB76I/jIq8iHF5hxFaDuAB+BFKjcy5ZY5nkkGxVlUTQHwizHStRDULK3zcLLUmQQmM NLzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779865711; x=1780470511; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=S1HoGkmmVirBZLUAZ5b16k6gJacJNZCaTPEXJ7dkR0Y=; b=PGc5kcAIXfC+CkOqiHAYuG0gV7/R7GjCUiZa87NGYoOJX+A1KBnJVp9WmWLvVIYR5x WjhpJOPJwm8ZOoVZv26Buz310bC81B2J9mnGHuaWpErR3DNjUHB4XKGJBrbpKqVppDi2 lfnzyH3xMYFeP7Nc3Qbs2bPN4HQNnxs0kG52VToZhVOApE7E6VkeVKOS7ICvqELGV+gw vg+zI23lqKXMfg/7fhibpWxfUVGUGQFAv8Co+ZLfggo0AfjZpeK5XJSJ2chfZznz39fG Lo5HXj63RMOeMxEGJ4apR1GpOjrR3ZQU++Av9i1c2/fPMRlEeaVxpez0RqWcQRCHYhDP mFqw== X-Forwarded-Encrypted: i=1; AFNElJ/hG8wgKhm05dRMDJtSO/IeLlUgCgvJfpTTTcG4UlRSeacDFfFhyc2njlE+CrCCOgCCbX2C7nwH8SNbRDk=@vger.kernel.org X-Gm-Message-State: AOJu0YyVodTfmObAplIQEDs+3MbpfeRUnTZLykOCDuPYd0waRcwfKXqQ jzv5QUZZE5R0AFuHKy06i38VwYKaMKvs3kX4YpErZIPkatmXr1fL97Fa X-Gm-Gg: Acq92OHTxx9906RxutIrp9sQ2/I4wfzAvrGrQv46sUxr0K8OGEE2sGNy/xmhCKFO9tH vQhhCMr8A5+y9/x6nB7NfCUH72jVbrC6q6cQxJhXTYfdXPTaxGpVeJi8fqOU7R0ezNgH5AowGE6 2k8SZsB7c3s1MR/daEnvzQWkr85mJm4EP08I2M+Fx1o6kfwWI8O3trXwdMfF4Fa4kIk6QmskaKY uBAgsEENtYuMrZHZWtjY6izilolPt8ImL6HshMSjrddUo4MqV5eY1yqUaZg0j8qDg1ynQ+vxON8 WbI239IyVazD4TnLmBXbfhOpL6kT7IHDHY9uOOIUxGJYPS60sZq1sJ3bopMy6ej2qp/X0HF1zzf lc0RNf0rmLjX4Nnho91LBjqlYC5QM90HxZDuY3MqmdkYd2vlDWUO6Gem9MVhv1V2QIxcjMDYjME bNxnxhX/x5Wq20sP9DnEcFsErasM6zUm+WzSNavQhjF/7OFPc0uEA56K1HckI= X-Received: by 2002:a17:902:cec8:b0:2b0:61c2:8e83 with SMTP id d9443c01a7336-2beb05b5668mr238431435ad.20.1779865710850; Wed, 27 May 2026 00:08:30 -0700 (PDT) Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b386esm149817855ad.44.2026.05.27.00.08.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 May 2026 00:08:30 -0700 (PDT) From: Maoyi Xie To: Jakub Kicinski , "David S . Miller" , Paolo Abeni , Eric Dumazet Cc: David Ahern , Kuniyuki Iwashima , Xiao Liang , Nikolaos Gkarlis , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Maoyi Xie , stable@vger.kernel.org Subject: [PATCH net] rtnetlink: Require CAP_NET_ADMIN in link netns for changelink. Date: Wed, 27 May 2026 15:08:24 +0800 Message-Id: <20260527070824.2677331-1-maoyixie.tju@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Commit 11b326fb0a37 ("ip6: vti: Use ip6_tnl.net in vti6_changelink().") made vti6_changelink() and vti6_update() mutate the vti6 hash of the device's creation netns. The rtnetlink path into changelink never checks CAP_NET_ADMIN against that netns. The only capability check on the link netns, netlink_ns_capable() against link_net->user_ns, runs solely when the RTM_NEWLINK message carries IFLA_LINK_NETNSID. A plain "ip link set type vti6 ..." does not carry it. So an unprivileged user holding a migrated vti6 device can rewrite an entry in the creation netns vti6 hash. They pick the endpoint addresses. Commit 8b484efd5cb4 ("ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().") already closed the SIOCCHGTUNNEL path. This patch closes the RTM_NEWLINK path. Other link_types are affected too. Any type that publishes get_link_net and whose changelink touches t->net has the same gap: ipip, gre, sit, ip_vti, ip6_tnl, ip6_gre, xfrm_interface. Check netlink_ns_capable(CAP_NET_ADMIN) against the device's link netns before dispatching to rtnl_changelink(). Types without get_link_net are unaffected. The newlink path has long checked capability in the link netns. The changelink path never did. Reported-by: Xiao Liang Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=3D87_CPjP= VsTHbq905k8A+BuUg@mail.gmail.com/ Fixes: 06615bed60c1 ("net: Verify permission to link_net in newlink") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie --- net/core/rtnetlink.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index df042da422ef..ac7a3bf438d5 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -3969,8 +3969,26 @@ static int __rtnl_newlink(struct sk_buff *skb, struc= t nlmsghdr *nlh, dev =3D NULL; } =20 - if (dev) + if (dev) { + /* changelink may mutate the link's creation netns. + * rtnl_link_get_net_capable() above only checked + * tgt_net. When the creation netns differs, also + * require CAP_NET_ADMIN there. Otherwise a migrated + * device lets a caller with caps only in its current + * netns mutate the creation netns. + */ + if (dev->rtnl_link_ops && dev->rtnl_link_ops->get_link_net) { + struct net *dev_link_net; + + dev_link_net =3D dev->rtnl_link_ops->get_link_net(dev); + if (!net_eq(dev_link_net, tgt_net) && + !netlink_ns_capable(skb, dev_link_net->user_ns, + CAP_NET_ADMIN)) + return -EPERM; + } + return rtnl_changelink(skb, nlh, ops, dev, tgt_net, tbs, data, extack); + } =20 if (!(nlh->nlmsg_flags & NLM_F_CREATE)) { /* No dev found and NLM_F_CREATE not set. Requested dev does not exist, --=20 2.34.1