[v2] net: devmem: allow bind-rx from non-init user namespaces

[PATCH net-next v2 0/2] net: devmem: allow bind-rx from non-init user namespaces

Bobby Eshleman posted 2 patches 5 days, 2 hours ago

Diff against v1
Download series mbox

Documentation/netlink/specs/netdev.yaml            |  2 +-
net/core/netdev-genl-gen.c                         |  2 +-
tools/testing/selftests/drivers/net/hw/Makefile    |  1 +
tools/testing/selftests/drivers/net/hw/config      |  1 +
.../selftests/drivers/net/hw/lib/py/__init__.py    |  4 +-
.../selftests/drivers/net/hw/userns_devmem.py      | 49 ++++++++++++++
.../selftests/drivers/net/lib/py/__init__.py       |  4 +-
tools/testing/selftests/drivers/net/lib/py/env.py  |  8 ++-
tools/testing/selftests/net/lib/py/__init__.py     |  4 +-
tools/testing/selftests/net/lib/py/netns.py        | 75 +++++++++++++++++++++-
tools/testing/selftests/net/lib/py/utils.py        |  7 +-
11 files changed, 144 insertions(+), 13 deletions(-)

Expand all Fold all

[PATCH net-next v2 0/2] net: devmem: allow bind-rx from non-init user namespaces

Posted by Bobby Eshleman 5 days, 2 hours ago

NETDEV_CMD_BIND_RX is GENL_ADMIN_PERM, which checks CAP_NET_ADMIN
against init_user_ns. With netkit and netns support for devmem, it is
now useful to let workloads holding CAP_NET_ADMIN only in their own
user_ns issue bind-rx for a netns owned by that user_ns.

The first patch switches the flag to GENL_UNS_ADMIN_PERM so the check
uses the target netns's owning user_ns. Init remains permitted.

The second patch just adds test cases. They are identical to
nk_devmem.py tests, but using a non-init userns.

Signed-off-by: Bobby Eshleman <bobbyeshleman@meta.com>
---
Changes in v2:
- some pylint fixes
- fixed import issue
- Link to v1: https://lore.kernel.org/all/20260601-nl-prov-v1-0-9bc57d6ca3f3@meta.com/

---
Bobby Eshleman (2):
      net: devmem: allow bind-rx from non-init user namespaces
      selftests: drv-net: add userns devmem RX test

 Documentation/netlink/specs/netdev.yaml            |  2 +-
 net/core/netdev-genl-gen.c                         |  2 +-
 tools/testing/selftests/drivers/net/hw/Makefile    |  1 +
 tools/testing/selftests/drivers/net/hw/config      |  1 +
 .../selftests/drivers/net/hw/lib/py/__init__.py    |  4 +-
 .../selftests/drivers/net/hw/userns_devmem.py      | 49 ++++++++++++++
 .../selftests/drivers/net/lib/py/__init__.py       |  4 +-
 tools/testing/selftests/drivers/net/lib/py/env.py  |  8 ++-
 tools/testing/selftests/net/lib/py/__init__.py     |  4 +-
 tools/testing/selftests/net/lib/py/netns.py        | 75 +++++++++++++++++++++-
 tools/testing/selftests/net/lib/py/utils.py        |  7 +-
 11 files changed, 144 insertions(+), 13 deletions(-)
---
base-commit: 0906c117f81c2ae6e6dbfa82719f79c75e1c9325
change-id: 20260529-nl-prov-491a85c020b0

Best regards,
-- 
Bobby Eshleman <bobbyeshleman@meta.com>

Re: [PATCH net-next v2 0/2] net: devmem: allow bind-rx from non-init user namespaces

Posted by Stanislav Fomichev 4 days, 13 hours ago

On 06/02, Bobby Eshleman wrote:
> NETDEV_CMD_BIND_RX is GENL_ADMIN_PERM, which checks CAP_NET_ADMIN
> against init_user_ns. With netkit and netns support for devmem, it is
> now useful to let workloads holding CAP_NET_ADMIN only in their own
> user_ns issue bind-rx for a netns owned by that user_ns.
> 
> The first patch switches the flag to GENL_UNS_ADMIN_PERM so the check
> uses the target netns's owning user_ns. Init remains permitted.
> 
> The second patch just adds test cases. They are identical to
> nk_devmem.py tests, but using a non-init userns.
> 
> Signed-off-by: Bobby Eshleman <bobbyeshleman@meta.com>
> ---
> Changes in v2:
> - some pylint fixes
> - fixed import issue
> - Link to v1: https://lore.kernel.org/all/20260601-nl-prov-v1-0-9bc57d6ca3f3@meta.com/

Acked-by: Stanislav Fomichev <sdf@fomichev.me>