From nobody Wed Jun 10 12:12:19 2026
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 52F9942EEDF
	for <linux-kernel@vger.kernel.org>; Tue,  9 Jun 2026 16:31:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781022683; cv=none;
 b=p4YlEgdAUaOrcvGbyvW6Aw+Dv54nk2hZ1sAGTur7Dywv6aCE3h3aTaKIddT2QctRKOCChIbKy51TRToBHpCgw+U/pGQ3s2lGw+NlGEESCg1Sbu+7nWiDAJg/+l1tHGRhip0EGzm/TvjH8NDwJiwjCFT0mgPiwYjDNTWFlFzxbA4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781022683; c=relaxed/simple;
	bh=rIznTwLb+grN+SEa4jmN1Kf+ePS7qTBPFnyTDfo7REU=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=HQIycTqREZ4uh3AFJkNT6/hkM54gIAc2PYKhFSKefkHTUg0gOkdjbCwWlMmav3yxhtqA9b2DMyxNpusmPWLXcidwZIOOMOsG/zy00DZ8N/lwf+QxXkFHGSo+y1pv8Ywp/9HrwrvTjrlYjtZotBtjNRhomT1x+zUsoqEr/KhvoO4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=hwydTfql; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="hwydTfql"
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-2c0c3184c71so44122925ad.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 09 Jun 2026 09:31:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1781022681; x=1781627481;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=NOScBN8qzHidY1x3Y7+FW8ZQCw6XnOMJJfJFMyByHk0=;
        b=hwydTfqlHJfSLNmf5j0KG/3V/OJCQPoj1Izx0Pt/mehPHG1lafPm5iehy9Oz+MCY08
         wOBfKzhXjsJP9LetdV7iLu4IoxNlCPtcVqlPEK7NZMbou6EUjENz3SoR4ZhzaJrFWYv4
         G+DOd1KTIxfOVdupUD6emfeAcvzpuwysHETOGus1WcVNCVxnHvpGqctzlymeavADNqOv
         qbSJ89styy5c1h8nnb6w89J3CgfpDTrd4u4uZDZylnpTzwqETehekdnzlza44pSR2E0q
         ZJxazG3z8v1ZJhNg9zedC3DUbdtRu2o9xgVE3tsVFEE9r1wNiLahlRGdWniGuPpZaLh/
         EIlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781022681; x=1781627481;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=NOScBN8qzHidY1x3Y7+FW8ZQCw6XnOMJJfJFMyByHk0=;
        b=ogBSjQLwOGq/wmFK8fOZfyy3+MHBMOwObo/csv9ho2lb5eQVr6krpiopPmzG9metbg
         6LUchTesgpQtmsBe3wh/gFPe2cXqGJyix5iWbNL5MixxlkWMRWWJcgVw+/aWu1VDI6+0
         d5hq/ly3SsuKldKN77VXdIjt/Vjxalf26JM84w2DuBbil7TzuzHpECBkOOI48NIaOo4C
         OmIDwzYiUAHpuFDz3sNtvEqVRo9eLP/crVJqft8fqZ5mowMLnhSbcvJCI5AFMYOUpM1d
         2/XeOPZlQxtA4YxdUaZaTDaHGAw+muw/GkkxXOHQtX3hBW6XViJVb9N0u2EOqAQ/aJuw
         3lAA==
X-Forwarded-Encrypted: i=1;
 AFNElJ9uhy6LM4CkNOjFMeSrRh8TEVmMvKC1R91vUT03j8+eQo+/0vI6vH7hknKnzC5gxwqEn+Hx/WvNPwhlxcc=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw02yYSm7DU9xes2zkWHLy3cQei4+pad2C763vtfQ5dDiw3uC7i
	vbllCcNy1Du95oS03cmOeWHLvKAggOINUJCGAIz2rm1lgroRl9/qpXM6
X-Gm-Gg: Acq92OGsRafg9hPB4BdEKYSy3xo7ZCd2NyXEcUOXV9aFYg6pidj6e1sgZj595TeRm28
	GkcBQvuhR6A+HkshgAxGz6alM98Li8TYWkSJhGAeHCQr6hu9DnS7fqfEpaSDkMgJSj7/j0ZelVL
	Px3VgGJSfjQjJY1Wg41M5TdfCjsMI4sqism4TObNR0XKI5KqWi+6ba2kN8VuZsKGtIgcF91IbEl
	9xhwptwbApejRaOWVGASR8dkA32CETwNOMQrzgGwrAVT2gOE/TdJ2u3h2xxPsnZnykycFsbrpIe
	IDb75HP6E6lqpIoLBSM7Az+lehtS6E/IG0BLLSaMGBXoKsWfs7l2IdbtY2IrHiNpFaSJDmiZb/k
	PdvknM+58lNMv3T33gGyYVaH7MUyxpRllCBUwvkpf1MwMM6eo/dFrEBVQ7xMYgGHWupa/RTxVaQ
	H3b2Bem3o90omNlBSVWDHAB35wNof/zl4/lidFvjd+AJOgEX5lMmLxymYoaYU=
X-Received: by 2002:a17:902:ea09:b0:2bc:8f9a:3642 with SMTP id
 d9443c01a7336-2c1e7e6eee0mr235696225ad.16.1781022681487;
        Tue, 09 Jun 2026 09:31:21 -0700 (PDT)
Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2c16629d042sm227710195ad.60.2026.06.09.09.31.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 09:31:20 -0700 (PDT)
From: Maoyi Xie <maoyixie.tju@gmail.com>
To: "David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: David Ahern <dsahern@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Xiao Liang <shaw.leon@gmail.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH net v4 1/7] net: ip_gre: require CAP_NET_ADMIN in the device
 netns for changelink
Date: Wed, 10 Jun 2026 00:31:04 +0800
Message-Id: <20260609163110.1717419-2-maoyixie.tju@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
References: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

A tunnel changelink rewrites the tunnel in its creation netns. After an
IFLA_NET_NS_FD migration that netns is not the caller's. The rtnl
changelink path only checks CAP_NET_ADMIN against the caller's netns. A
caller with caps only in its current netns can then rewrite a tunnel
that lives in another netns, and it picks the endpoint addresses.

Add net_admin_capable(). It requires CAP_NET_ADMIN in the tunnel's netns
and is skipped when that netns is the device's current netns, where the
rtnl path already checked the cap. The other patches in this series use
the same helper.

Gate ipgre_changelink() and erspan_changelink() with it. The check is at
the top of the op, before any attribute is parsed, because the parsers
update live tunnel fields first. ipgre_netlink_parms() sets
t->collect_md before ip_tunnel_changelink() runs.

Commit 8b484efd5cb4 ("ip6: vti: Use ip6_tnl.net in
vti6_siocdevprivate().") added the same check on the ioctl path. This
adds it on RTM_NEWLINK.

Reported-by: Xiao Liang <shaw.leon@gmail.com>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=3D87_CPjP=
VsTHbq905k8A+BuUg@mail.gmail.com/
Fixes: d0f418516022 ("net, ip_tunnel: fix namespaces move")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 include/net/net_namespace.h | 18 ++++++++++++++++++
 net/ipv4/ip_gre.c           |  6 ++++++
 2 files changed, 24 insertions(+)

diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 80de5e98a66d..17fb71a78cb6 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -358,6 +358,24 @@ static inline bool net_initialized(const struct net *n=
et)
 	return READ_ONCE(net->list.next);
 }
=20
+/**
+ * net_admin_capable - test for CAP_NET_ADMIN over a network namespace
+ * @net: namespace whose state the operation would change
+ * @cur: namespace the operation runs in, e.g. dev_net(dev)
+ *
+ * Returns true when @net is @cur, where CAP_NET_ADMIN was already
+ * checked for the running namespace, or when the caller holds
+ * CAP_NET_ADMIN over @net. rtnl changelink paths use this: a device can
+ * be moved so its state lives in a namespace other than the one the
+ * request runs in, and the cap must then be held over that namespace.
+ */
+static inline bool net_admin_capable(const struct net *net,
+				     const struct net *cur)
+{
+	return net_eq(net, cur) ||
+	       ns_capable(net->user_ns, CAP_NET_ADMIN);
+}
+
 static inline void __netns_tracker_alloc(struct net *net,
 					 netns_tracker *tracker,
 					 bool refcounted,
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 169e2921a851..040a0ef95184 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -1457,6 +1457,9 @@ static int ipgre_changelink(struct net_device *dev, s=
truct nlattr *tb[],
 	__u32 fwmark =3D t->fwmark;
 	int err;
=20
+	if (!net_admin_capable(t->net, dev_net(dev)))
+		return -EPERM;
+
 	err =3D ipgre_newlink_encap_setup(dev, data);
 	if (err)
 		return err;
@@ -1486,6 +1489,9 @@ static int erspan_changelink(struct net_device *dev, =
struct nlattr *tb[],
 	__u32 fwmark =3D t->fwmark;
 	int err;
=20
+	if (!net_admin_capable(t->net, dev_net(dev)))
+		return -EPERM;
+
 	err =3D ipgre_newlink_encap_setup(dev, data);
 	if (err)
 		return err;
--=20
2.34.1
From nobody Wed Jun 10 12:12:19 2026
Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com
 [209.85.214.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 005E643C07F
	for <linux-kernel@vger.kernel.org>; Tue,  9 Jun 2026 16:31:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781022687; cv=none;
 b=MshA08QQnOnZp5EnYq4/Xsa+qeaM5pd9ruvU0KOoWbb2hCHD5gA2td8jEWBU4xBV/sRI1ActjozYEwAliaTY6iqHudcomRh4vwL6Q7B3oV+ekSRpzjNTD2ujVSS3joLHLii3FTPOUqQVUiOqXYpgB5IciNxwJjfZ8mhBTLYlE7M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781022687; c=relaxed/simple;
	bh=FRg9Eu9QhiI3/I6NgMvgK88AoQP9jiLCzpjsRaCrM1w=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=tPwbqYUwuU1cD6RV40zgOXkIIYbE6FgK4fXPPgi+fDz2qOGgvf7pfWRG7XySLj74hGgAM2hT8w0wl+1/RcaPuzVXWahVQlyMns6yEO8XgadDVEe7VPQ9o+i8uqUSIIz9U9RPQpvBPCYBgNVRJGB/1RxP/ABxt1VSNkc/glUDYH4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=IRi/wk1B; arc=none smtp.client-ip=209.85.214.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="IRi/wk1B"
Received: by mail-pl1-f172.google.com with SMTP id
 d9443c01a7336-2c0c2c7d45eso51879015ad.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 09 Jun 2026 09:31:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1781022685; x=1781627485;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TcMeU35QKR/m7p0ys0S4K0EvNKBoe36L4mK1QCkh7IA=;
        b=IRi/wk1BdcqaWByMeEt9Bxy7LMhrl9XIeNjeGyZAbrZxW+9XYUQxo+HZW9X8BJ1nAp
         W7eT62eBbGavrGblFHUcIqOZDSo3W36IjSnE/4o76RC9rTkKzgXMUZftnoUMZdc0v8vy
         xhtugYKCRiBerZ8HxvtH4lQSuCYwtKgDUtiMqXSzxh7sksTfBhvvsqZBfOrbOL1pT7Dc
         rz3zLVcB0Xub2xdMuYNNF1zf3SLoADyiavt+E3mCL6+sRC3Gof5ABENV80uAdZ14DVsg
         2arlVligUZV/xhKFoZKRFiYIIs1LF04ejjli/2MRPHP+4hAzNMD7q6ivbmJAOY9yKLrE
         /f7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781022685; x=1781627485;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=TcMeU35QKR/m7p0ys0S4K0EvNKBoe36L4mK1QCkh7IA=;
        b=VKkRGU6JE8ESmnQpNNL6pgbH/4/ugePs6MJjRHpEarA5+E3JB3PnODkBEPYS1XzNok
         lLCfHY6y6F2w463xzQYA6/2EdlKAAI51h663h1s/ZmDSWwlyf9E2mcg2/Fvv0BSr5+1x
         aNZ3FcvlElHOMXMpJDomrYpGub4cJGtID7ercGC86BxukB2ZYm/b4oZLN3U/1Iwkuo/d
         tg7tUpmpcWotHnIvnrQOEQpX53E0xJE5Ybh5sPf4gg0T4r7Oge5b0H2cMhsDM8HRCSgK
         wHrCEn98HM9UUnA0UiQ3UlJnHJ5WcMs90+ZEe8oWH7h/zNrJh/deHl/AcNlT1P6GgOiH
         xijw==
X-Forwarded-Encrypted: i=1;
 AFNElJ9adrg52AeKs8dds9gSZV1z09QVx0Y4SI6xMzNVEhrgA2Dt/9RKge2Q0zfrcmXR+3PrfTAFzl01Yz5e95s=@vger.kernel.org
X-Gm-Message-State: AOJu0YwfrIhr5bw44TYAc1P4gAgkZnmQLwQX1C77FJXQsGAao3HeEz7I
	saCXxGdHk2Qe0h7DGfY1+cSfjxSltcHwuzgbsxxCas5PWHXuBwiQrGS8
X-Gm-Gg: Acq92OGnZmAApNim+2dcFb84LtlK1UBM/1O2m3L3jpiJKfbSavK29bus6qJlezSsEBQ
	DGdekd7UvlDQzIzkuPj9kgOHal+XKk7qGeJY9Qgku6N+QaASziH5YzqRRdEKbJC3n642qWTH1XF
	CrlSBO6M8cDiWPudXErZ0ZrRQax0qE876cfjYJWmR3Zs8lqRiB+e0Tx+wsHKVR3+Tf4ipoq6UMh
	5mW7YbExHyF9GR8VMoq/iWffwDZSBMrjXFlhNm7mdnW9vWQukckQTM+t0UL4Erjtp60L01j7KQN
	+I1pcZjLeQmI8qGa2KSVAsH8N4C5+39Jgwg5zsOdeWrFYgkuN7gyoRVwSZGj1iAWJx8Lr0dsh+3
	Q3ll/WoT5Jf1jdV176Kt/Mk9dUlZSyT2g3DMntyjeKKjaMDsd/9mWFyM7BUD4j7708VojGWbITm
	mn/wbWGGgoyFma/vWk0vQVnnThH+LosrpA+vkI5oKH4ArLAGJq4S5dob0Hj8TNzGTWFm/NkA==
X-Received: by 2002:a17:903:1247:b0:2c0:b35d:ed54 with SMTP id
 d9443c01a7336-2c1e85e04c7mr245030845ad.35.1781022685002;
        Tue, 09 Jun 2026 09:31:25 -0700 (PDT)
Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2c16629d042sm227710195ad.60.2026.06.09.09.31.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 09:31:24 -0700 (PDT)
From: Maoyi Xie <maoyixie.tju@gmail.com>
To: "David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: David Ahern <dsahern@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Xiao Liang <shaw.leon@gmail.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH net v4 2/7] net: ipip: require CAP_NET_ADMIN in the device
 netns for changelink
Date: Wed, 10 Jun 2026 00:31:05 +0800
Message-Id: <20260609163110.1717419-3-maoyixie.tju@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
References: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

ipip_changelink() rewrites the tunnel in its creation netns. After an
IFLA_NET_NS_FD migration that netns is not the caller's, but the rtnl
changelink path only checks CAP_NET_ADMIN against the caller's netns. A
caller with caps only in its current netns can then rewrite a tunnel in
another netns and pick its endpoint addresses.

Gate the op on net_admin_capable() at its top, before any attribute is
parsed. The check is skipped when the tunnel netns is the device's
current netns, where the rtnl path already checked the cap.

Reported-by: Xiao Liang <shaw.leon@gmail.com>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=3D87_CPjP=
VsTHbq905k8A+BuUg@mail.gmail.com/
Fixes: d0f418516022 ("net, ip_tunnel: fix namespaces move")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 net/ipv4/ipip.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index ff95b1b9908e..1813f6026e49 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -494,6 +494,9 @@ static int ipip_changelink(struct net_device *dev, stru=
ct nlattr *tb[],
 	bool collect_md;
 	__u32 fwmark =3D t->fwmark;
=20
+	if (!net_admin_capable(t->net, dev_net(dev)))
+		return -EPERM;
+
 	if (ip_tunnel_netlink_encap_parms(data, &ipencap)) {
 		int err =3D ip_tunnel_encap_setup(t, &ipencap);
=20
--=20
2.34.1
From nobody Wed Jun 10 12:12:19 2026
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com
 [209.85.216.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C59248B375
	for <linux-kernel@vger.kernel.org>; Tue,  9 Jun 2026 16:31:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781022690; cv=none;
 b=LoNZDuM6wra6Z2kxogm47ej7YuinwOnxt2pnP74fn9d4OAFEc/EZq1Eq0GJsfDokvOPVRGIdQlownhn6VXQOHIonB7MFnMLVbilluRGYIbY7GPCdDEk435SchhAbtNGqT7buc3mSVgENzgGDTdWg3/r+hCCjwmhwovY3uQrf3JY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781022690; c=relaxed/simple;
	bh=CKQ7zjMxV33Xpql5BA8n/9v9zqRfxq06nC1RhTinzkA=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Rwzrf5yI7EkYFlfCqc7HgluvYcxvOEHOWBG7XA5o+R4q/6oI393MAP+NWKZ7SShDch6MQkpb01x5FeYlXPcs6CNfyd5Dp7P6olR3pNc1vQIeQ0Hk2qcc5vSh9BahpqxCX2LdDSthAChiirF0XqTMvnlsFKGDc9TgogdTIriKCoo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=CLaFhtzd; arc=none smtp.client-ip=209.85.216.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="CLaFhtzd"
Received: by mail-pj1-f51.google.com with SMTP id
 98e67ed59e1d1-36babe2c4bdso3539989a91.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 09 Jun 2026 09:31:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1781022689; x=1781627489;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=mr5itRaGOdJM0OW4OLU24W+WID9quq8c5B9yuT9g/6c=;
        b=CLaFhtzdY9YR6LphasQyWqWEINehXZ8NbkKn6F0mAP9pEhid7MbXr3aocycNAi1Iyp
         hp3DIqCiXD3+KKffiYVuUZTdAxZte5S+TNmMJKhMSzB5kya1/cWK3mkHPrCEXxWqiinQ
         LbS5J+ALTkEQffo2Yn9z9PXLLPj7sbhJeuKtrb+aDKQn027j7uQ3sY3kwHIrMhUgGkux
         WIgnKE6gxqhBzxD9GSx+TwWBPdo2CqCpjbVZ4NWXs4s0M/GOnUP12ibofuU+/kuIJ9XM
         w+zC0uQRK9AkXIuU7kXXhxP04xPs/lYgM4ecXyn4qbOSSn/gf/s/l8+qwxiVeeWk0QM1
         np6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781022689; x=1781627489;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=mr5itRaGOdJM0OW4OLU24W+WID9quq8c5B9yuT9g/6c=;
        b=CwUceqiQl7eeMdNxKg33YysAe9YowFvEqJ9BiqavXDLp3wK8EVL8/75Vbc9EOEBHN1
         ISSJh0TELwumuybITs2vi+2N/lHcloxdBzINMTj/RT/OObfFBN74jPOuAQW2kYhgzC9j
         65VPa7XuP85++DuTivpwyVa6p/ofvj7VG/a+FvztbiXm8WNSOebQLgZdmUTcS8ZL/ff6
         2KrQyUkoZwZpkuayWm8at9P38NCKZiOCm3y/Y8avrNHynLAgWyv/mThgxSWqatZXq5k8
         XOfUtt6vUOburCu/ra2llzmLyHs9JQ9wEXzJwM5XN/9BjdwopK24BUvQktxkBi+oglFf
         /K2Q==
X-Forwarded-Encrypted: i=1;
 AFNElJ9rNyVRpcPYefztzQlNPkj4HXLvQa+Ir6m6zFO50jMJVj9wnZfv5sTSX1ANgg9P/dXwRLij7cWhiTvPXag=@vger.kernel.org
X-Gm-Message-State: AOJu0YzaOd5s2ekwY/I5M1UzOhm9KW9yZAhKn12vVZ03lkfLAbv0OsvP
	DUSc5pVFGS2tPkhgd70K2J8cXqxSQq6USp9ld7m166i9scZ/xqaWmyZ+
X-Gm-Gg: Acq92OE81AT2QY1nn7kurojwvjfRJo66fBMG1nxLDjvJecc246TRD+8omkKJwo26J83
	+pkLfT5VeXDLsx3lbTDLH3op1nqSMWcYvHuPIMzsJkRXYfbTO6MYXbbMm2/EkUsv87/+4ab0JH+
	WtISYMuPKocWz3jhYlxqhm57bAC6SD0w0fquAXBEVDOa2RIJA5QG8Hm6Nn0BK37hpiIpnTFkBnE
	UJfkt1s2tmqoBRnnWcmy3fzFzBBjL0jerhQj97GqIOYWSiH3WcbuLaAHicV8Vq50Tzj2kT+i5qZ
	guUqX/Dlr0mHsufu+WLuZSo8vU7w3RVpW/CMeKgOFsEaY3rQewdBxT70RkbeAKN0NiWS+uf8e+W
	DnrZWbAiCiDOIwYcJnVpkZza//Xjwn1SusLJAh6NVw3o+PGqRLVPjlP+FLAWe89W9fCYvXoKIMa
	wecDIBP2C7fRQZW3xcvAKrrgSR5H8J/K2VFgZCfSDyxVkZZ7gRf6j2YFfwW3w=
X-Received: by 2002:a17:90b:38cc:b0:36d:f28b:72e0 with SMTP id
 98e67ed59e1d1-370ee92adfdmr22988746a91.12.1781022688682;
        Tue, 09 Jun 2026 09:31:28 -0700 (PDT)
Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2c16629d042sm227710195ad.60.2026.06.09.09.31.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 09:31:28 -0700 (PDT)
From: Maoyi Xie <maoyixie.tju@gmail.com>
To: "David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: David Ahern <dsahern@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Xiao Liang <shaw.leon@gmail.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH net v4 3/7] net: ip_vti: require CAP_NET_ADMIN in the device
 netns for changelink
Date: Wed, 10 Jun 2026 00:31:06 +0800
Message-Id: <20260609163110.1717419-4-maoyixie.tju@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
References: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

vti_changelink() rewrites the tunnel in its creation netns. After an
IFLA_NET_NS_FD migration that netns is not the caller's, but the rtnl
changelink path only checks CAP_NET_ADMIN against the caller's netns. A
caller with caps only in its current netns can then rewrite a tunnel in
another netns and pick its endpoint addresses.

Gate the op on net_admin_capable() at its top, before any attribute is
parsed. The check is skipped when the tunnel netns is the device's
current netns, where the rtnl path already checked the cap.

Reported-by: Xiao Liang <shaw.leon@gmail.com>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=3D87_CPjP=
VsTHbq905k8A+BuUg@mail.gmail.com/
Fixes: d0f418516022 ("net, ip_tunnel: fix namespaces move")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 net/ipv4/ip_vti.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 95b6bb78fcd2..55ec52bc5db0 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -596,6 +596,9 @@ static int vti_changelink(struct net_device *dev, struc=
t nlattr *tb[],
 	struct ip_tunnel_parm_kern p;
 	__u32 fwmark =3D t->fwmark;
=20
+	if (!net_admin_capable(t->net, dev_net(dev)))
+		return -EPERM;
+
 	vti_netlink_parms(data, &p, &fwmark);
 	return ip_tunnel_changelink(dev, tb, &p, fwmark);
 }
--=20
2.34.1
From nobody Wed Jun 10 12:12:19 2026
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 86869495514
	for <linux-kernel@vger.kernel.org>; Tue,  9 Jun 2026 16:31:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781022694; cv=none;
 b=BByoxTYokZszNY3gwvwXKP/VXlCtgqTKubqocBEUSOjc95QYzZZlsJq9sqZNF0voQ2a+pxZjpHwiwrXEXmhE9JjL4IUNEE/O5oRWWoIKaT7988js56pyvdp2gs4VrdqR2OlPd9XT72Kf86kvUWgKNNGGlICnvpSfpmFyZOXsVzk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781022694; c=relaxed/simple;
	bh=9CeSQ65EFy++LfGUh9ogh5aCzFhQ1qyM6WnEMY0Q8zY=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=uMfMgJFQ2Eg/LmIPtGwZYireXyPrO14yMlLZcjVgDsNiX6fJV6kMc5B1uhmWm5pa206N+EuI1N0nyQDp8ri53zR6/C5vM6gp4FA+z6UiMbH+Am1fONpxnSF1hEQWu2OMij6E7uFJ6zWPdQOUSzZL/efKqP0/0HQK3yZV1lLnYDs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=AajOKwAi; arc=none smtp.client-ip=209.85.214.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="AajOKwAi"
Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-2c0aa420401so44735045ad.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 09 Jun 2026 09:31:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1781022693; x=1781627493;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=b/NUtWL+pGSdZG256FKpKppSfEdak3fTDyGu+gJY7Vw=;
        b=AajOKwAiXrBCsuRnXG7hDUCjLxFkiy0QtamciUoMbPVBSHg80MJMqHMHHIxFtC4Kp3
         jjrZ01g9uI1ZvSa1PHn/MlU1HF2bpk4NbdzwZD+wyz7LEaKlqXOK7+yeKEHpRNV71vDg
         e8SHdFyWYkDc05DOMHkD5qZYBqRJRlGL19y9qWXPP2bfJL+KOhKMOVlnR+Ic4cld1dSu
         +bJaVOjHZwxIKqpNnCiXucleIBDP5+ZbaGtOKLPc6MIV+FH4GDe60cT/QygWQic72JXE
         ijz6k3QqUhEdsdHLT4DW6NS0JlNqixMseVk+JhwhHIA7ZBKtQz9+R6K9vvTn1vqcnbwv
         OQAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781022693; x=1781627493;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=b/NUtWL+pGSdZG256FKpKppSfEdak3fTDyGu+gJY7Vw=;
        b=FQ8mf8LdFo2nmvolDEYNZmhGnNnlxaru+YkGEBG8TRCf7JYSoX6FAt+6TDLBHdCNVf
         eL1YcNu1OdBQx4LUQOuwlOPK6bp4Ho7kNb3u/M07ofT9ItauKq7iHJ8ns/tltQtkgZH+
         Jq6WF+93NQIGmYdPrEUF/I43d9zirqDla1h/C5p0pbb6ko0aj3GPaVUCzk1aESkejin+
         U3FocBdN+HTETYdHhaBPrlD8LN7zp63S90VWYy3INkYYRYwP0QMkfPYlvXZGqQmEHvMd
         IARhrmf7wYlv+obBqPBcwZKZtr9L3mKNaLBj8V+ep4XB2lW6o6AejPEVBBnhVQO5I7mE
         owug==
X-Forwarded-Encrypted: i=1;
 AFNElJ8tYbUPPNQLcPp2+VcivtIIiBfCuY25JRlnOy+526o8pZ8sBBELSbwrv9GkbWDcLskzhhyDoHUwV0xC4DA=@vger.kernel.org
X-Gm-Message-State: AOJu0YzC90+zVjLHkrnaC7Ylj/i0w0INOAoYR+akJLFCJJgw9zlnvEGf
	jDZahw8gkdoVbi3S+FdmfWqQfhodkv1n6VBSqHvs9DQFcE7QkcMzVbrgsTIN7w==
X-Gm-Gg: Acq92OGSp6XYJAQbTKObit86wPQJgA04RYEIvaoC7RaMRNGQ+LvRycgqYZWCLSV4zMa
	sCA0cuZQ5akyU3a4gIlKnKbiFckTl1SPgaPIpCNqLfo+QILUA1GtO08V5vAHNXNmuh1fYc2ZzFg
	WgjENz03tfjZPUytrEBoAizMGkvZZXPmk7xyj3MtzUo0r9e7On48+5TScv21LDqYu7RFFTgCAr8
	l54Ej01YjvjQ58cZcwt/j0dbzHDwxRyMKi/H9K0Toe5brCEoEvrWpPov+B7cq7A1+HetDKKhvxp
	mJgcF6N5hOxmvQIqYaitUsFqd+hTcTmoHfzOtEembU9NNCJB52J7X5MkHIXWIb354yTZtccXe++
	ha1Njj39kP9sxyFWFHUN0J5OPQQ6eIy1vXTvApjzndH0CsE32rbGdG3r1vri+C/3T8LUHjc+bjJ
	M++9ZomKdMbXCyOn/9Xxx1KpXnk+hIV+LycDYhqsrzz7WqYTuz7Xq3lLbyJsA=
X-Received: by 2002:a17:903:2a8e:b0:2c1:20fe:9d5a with SMTP id
 d9443c01a7336-2c1e83502b0mr303154615ad.35.1781022692635;
        Tue, 09 Jun 2026 09:31:32 -0700 (PDT)
Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2c16629d042sm227710195ad.60.2026.06.09.09.31.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 09:31:31 -0700 (PDT)
From: Maoyi Xie <maoyixie.tju@gmail.com>
To: "David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: David Ahern <dsahern@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Xiao Liang <shaw.leon@gmail.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH net v4 4/7] net: ip6_tunnel: require CAP_NET_ADMIN in the
 device netns for changelink
Date: Wed, 10 Jun 2026 00:31:07 +0800
Message-Id: <20260609163110.1717419-5-maoyixie.tju@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
References: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

ip6_tnl_changelink() rewrites the tunnel in its creation netns. After an
IFLA_NET_NS_FD migration that netns is not the caller's, but the rtnl
changelink path only checks CAP_NET_ADMIN against the caller's netns. A
caller with caps only in its current netns can then rewrite a tunnel in
another netns and pick its endpoint addresses.

Gate the op on net_admin_capable() at its top, before any attribute is
parsed. The check is skipped when the tunnel netns is the device's
current netns, where the rtnl path already checked the cap.

Reported-by: Xiao Liang <shaw.leon@gmail.com>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=3D87_CPjP=
VsTHbq905k8A+BuUg@mail.gmail.com/
Fixes: 5311a69aaca3 ("net, ip6_tunnel: fix namespaces move")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 net/ipv6/ip6_tunnel.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 9d1037ac082f..5ff8e057fb1e 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -2102,6 +2102,9 @@ static int ip6_tnl_changelink(struct net_device *dev,=
 struct nlattr *tb[],
 	struct ip6_tnl_net *ip6n =3D net_generic(net, ip6_tnl_net_id);
 	struct ip_tunnel_encap ipencap;
=20
+	if (!net_admin_capable(net, dev_net(dev)))
+		return -EPERM;
+
 	if (dev =3D=3D ip6n->fb_tnl_dev) {
 		if (ip_tunnel_netlink_encap_parms(data, &ipencap)) {
 			/* iproute2 always sets TUNNEL_ENCAP_FLAG_CSUM6, so
--=20
2.34.1
From nobody Wed Jun 10 12:12:19 2026
Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com
 [209.85.216.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B9A24968E8
	for <linux-kernel@vger.kernel.org>; Tue,  9 Jun 2026 16:31:36 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781022698; cv=none;
 b=jzjzrmsWVutQjgW4oqZGAaviG/qlN2kOs6QWmfysW99NtGL+FpflMv/5+YtiJJ4Fei0TySvrHgShuE3O36vpCp9GUtIzWbk9gp1FZnoQNiP4wRmZ5RwiVkyoDUQoFPff2t9dRGLt5aS/JoeTMUxe3vdNH2/wJWhm8gS2xCRqilk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781022698; c=relaxed/simple;
	bh=w/92rqpxBcjX7hp01jRGc5Qwva6xnPaoYP6bbl5lgnQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=gZZ9mGBCP7gQ9jRG7T+oS+0zV2BV5+WkSqxQcGmo0Q5vg/HPE07rMR1dA4UCZ+TL0644hvT9gdm8gAIjjWhWOYgWwLaLgGcB8y3r52Kw5ykWNwM0juxuu/w8jaAyIoRS3wKj9YEOPZU9h5vAeJGy13GrhK5xdSaBgIs1DQk/ZT4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=CRUSwy4O; arc=none smtp.client-ip=209.85.216.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="CRUSwy4O"
Received: by mail-pj1-f54.google.com with SMTP id
 98e67ed59e1d1-36d98c9b596so3610662a91.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 09 Jun 2026 09:31:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1781022696; x=1781627496;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ZBNB2vRgnwcfwhi+Xg0KULzMXGMj4ph1wDI4x7EyfeE=;
        b=CRUSwy4O/t3xNUyPhEyrv7OPqESyorVeQEJD+oWwOcio/w/TnfOyQv5QQW5N+QBr1A
         eywfhgBY0YYydFrTwHIhAJep1EWhRlkwGgCFaTJWlu434C6dS9ePP5xe3U0gDh/kgqT4
         JlctWmRcil+F9Q69tSWTTuQeg9d/f9Es6W72/iO1UGblIf+/VYFYffZdBAksLUxyDjLT
         FTKU2BmIRcXECpfuHVfudVl7FAA5X6zvCvoXPQL0G7UMVaWCQmYVmssEUp/SVVc7B4No
         EwDq9eCVd/0AotyjxPyt9ITKCuiClSyKz7sDota1ssHJShoCvdD7c1YXdjo3Rc5o0hrS
         KlDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781022696; x=1781627496;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=ZBNB2vRgnwcfwhi+Xg0KULzMXGMj4ph1wDI4x7EyfeE=;
        b=TvRdSqVP2jFROXAIVJ7koPzyXiIKWHDnIbZ6w+doVyRt66BVrkOJXSnY9pPDkyU5BA
         coY+LAUuHaTRAr2+hs4ERcnjI72IfNbHp1CJXjl088EPHLZXwE0qbDI5A2jqPwTkMJcG
         fYat1fa2D/drnDvLtT61PwEUKhp0MXyJ9gKk+UKPi1Q4rs0s3oY0qCx1z8Fbase4DZow
         by9TvWa48kbS2RysXuZVUAgZVTDXo8pElJOyaSa+1uX5B2Y/ELuyqq8LV95SYBUBfQCk
         3JoEV33me+4jZ3P8tH6XDfkABk/0mFZuw+fe6mCDFmKJkArBpvvLOvXCCj/Km8tQuzSt
         OkCQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ/WCFyfP2Q781bNt8FXi6++b6eY5Ftdl7Exy1TF88JCLsVy6U+DIkXUQVy8fjiQHQkWRiF864QuM3JcmQE=@vger.kernel.org
X-Gm-Message-State: AOJu0YwWsMcnxpGMrr7SIAtZrWV5O3C8EYG/5b8PntaAeZYeF1KRnPhK
	0JnpMO1+FhLu/F104+/UaFd+dVuhkAeqqRRfI7d4KU0gq7ean2AliM2c
X-Gm-Gg: Acq92OFIZv7mRX/FXZozWlPvKOCDMnmq3zjOgiDTNaJ1Gz8P8KXv0JGtV5NmJ9G4j0y
	yb/jA2aZZ35/AZ2j5pU6ZKHVP8NIPj7CC3MKejtlIgKLQFh9mbN9rMYrak3NZjZibfVkNtb4ToR
	RRi6TBOFA/EFHZJQ0mtcnHkOuOFUO0D42hynVzjORIdiivhp8wpAqbj7XiwzaXfV6D2luaQvMKS
	gp1fwhvbI/4q3Sh5n6CSWPykR4l60rn6DBHLReYMnnlwehqC3/lgrDGCNgWjXgpgt9tG/FlNFEK
	zCkjKx8OYY57t6VtRnNlvEGx89wdTM6fvZuJlSr3dln2GsMlipFDNYh0kBlI87M0qhqzaVsum1Z
	NK7IrxIYk3siAdDWiKPXDpgs4By9DQZWTs7lrc38VfXQoxfC6+P3m0nxu2q4RYEuIZaY0yCdCbr
	fG2LOcQC58K9wPvzSBGMl4Kpncx09JqH/ytS+GLnNO/ICIwo9VdEZyoq1Jyc8=
X-Received: by 2002:a17:90b:3ec6:b0:368:5367:d679 with SMTP id
 98e67ed59e1d1-370eeff5ea4mr23914086a91.9.1781022696271;
        Tue, 09 Jun 2026 09:31:36 -0700 (PDT)
Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2c16629d042sm227710195ad.60.2026.06.09.09.31.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 09:31:35 -0700 (PDT)
From: Maoyi Xie <maoyixie.tju@gmail.com>
To: "David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: David Ahern <dsahern@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Xiao Liang <shaw.leon@gmail.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH net v4 5/7] net: ip6_gre: require CAP_NET_ADMIN in the device
 netns for changelink
Date: Wed, 10 Jun 2026 00:31:08 +0800
Message-Id: <20260609163110.1717419-6-maoyixie.tju@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
References: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

ip6gre_changelink() and ip6erspan_changelink() rewrite the tunnel in its
creation netns. After an IFLA_NET_NS_FD migration that netns is not the
caller's, but the rtnl changelink path only checks CAP_NET_ADMIN against
the caller's netns. A caller with caps only in its current netns can then
rewrite a tunnel in another netns and pick its endpoint addresses.

Gate both ops on net_admin_capable() at their top, before any attribute
is parsed. The check is skipped when the tunnel netns is the device's
current netns, where the rtnl path already checked the cap.

Reported-by: Xiao Liang <shaw.leon@gmail.com>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=3D87_CPjP=
VsTHbq905k8A+BuUg@mail.gmail.com/
Fixes: 690afc165bb3 ("net: ip6_gre: fix moving ip6gre between namespaces")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 net/ipv6/ip6_gre.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 365b4059eb20..829388d7b870 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -2047,6 +2047,9 @@ static int ip6gre_changelink(struct net_device *dev, =
struct nlattr *tb[],
 	struct ip6gre_net *ign =3D net_generic(t->net, ip6gre_net_id);
 	struct __ip6_tnl_parm p;
=20
+	if (!net_admin_capable(t->net, dev_net(dev)))
+		return -EPERM;
+
 	t =3D ip6gre_changelink_common(dev, tb, data, &p, extack);
 	if (IS_ERR(t))
 		return PTR_ERR(t);
@@ -2266,6 +2269,9 @@ static int ip6erspan_changelink(struct net_device *de=
v, struct nlattr *tb[],
 	struct __ip6_tnl_parm p;
 	struct ip6gre_net *ign;
=20
+	if (!net_admin_capable(t->net, dev_net(dev)))
+		return -EPERM;
+
 	ign =3D net_generic(t->net, ip6gre_net_id);
 	t =3D ip6gre_changelink_common(dev, tb, data, &p, extack);
 	if (IS_ERR(t))
--=20
2.34.1
From nobody Wed Jun 10 12:12:19 2026
Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com
 [209.85.215.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D798D4A1383
	for <linux-kernel@vger.kernel.org>; Tue,  9 Jun 2026 16:31:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781022702; cv=none;
 b=JPGrvBMuZxNWupEjIJy0aEGFEfdZogr/E/cZ3az8k7bO2fvICC+wii1E3MeWrKQFQfLlzn1l7eiYHnx0werKwvi65ecC+6uYUtXVAwbSPibWPt9FfD/92AaLKdJ6c6pmRcR5uyYMc6G+0P2OTUPMbHxdn5pAgGcF/2A6UyXFlmk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781022702; c=relaxed/simple;
	bh=964slByQ2g57y1gfeoWWO0abKPXFuUrmXKARDVr3EQI=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ts4tki3eYOPUiWiA5C8Tys2Gi9xjrKOBkazQKGXR6bNjEKOweEsyW7abURoABmknjt3QukMELz+aZ2XW56w83PnnP85MoBbZCQM1X3KUMtBSAXNVnv+GF8gFRg8O+kkiYlpH24BSEozCp5NTIKWtrlpPi33EIOAmnbiUbQjI6lk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=ksWFifbg; arc=none smtp.client-ip=209.85.215.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="ksWFifbg"
Received: by mail-pg1-f175.google.com with SMTP id
 41be03b00d2f7-c8573e75425so2198086a12.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 09 Jun 2026 09:31:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1781022700; x=1781627500;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=etjlWY0ED/lfXMUZNVvEX8hp93y3gVFfFSFVc3VEUY8=;
        b=ksWFifbgukn948JGak0w1XMZtmuyXzfLOV8eHxKB2py8aOONDgqi5GTsyQm57wBlPY
         eDG0uOpLpBZ9BFvgu4aY1inAYsoc410sTFRW5xXnMAD9EZvHpq+65UqF/mGDL4qST6XF
         RmE+ufukXusQjq7Tnthyrml1uExotzoC3SsFmyB61IoFYINfdDwCkFaM3TVClgdf7x19
         W8VgDy6NX1u+XZvbBdNWcXe0fDWQZrnJZ1e5/fGS3Tib88Pp2Cu3NmKj6PcySEdcB0LN
         /CZB91hZy71rNAdHumW1X+eJDhS9H1kftJfr5LpnU/bFyEL3SV6Aix7WA57z0Y5RrDqw
         9hmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781022700; x=1781627500;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=etjlWY0ED/lfXMUZNVvEX8hp93y3gVFfFSFVc3VEUY8=;
        b=sFvq2Io11D/qFZDoUdtxC95LEtHC6Eb8o4bKtXzVdeYFD47513+GUle+bLQoocixOe
         GPCB4Zaf6AMhwvzqpCJuozwdo21Q4CZouitZ6AkChDysam/RGtxSovBqVv5JX1KxWyNa
         DrWC6Rc7H4hcacWVTvioJjgA2ck8F71HjwjGUyWZaDmZtIU113K6T/1FbBX/KWKRu/fa
         7iH9aME08v4UxDiHIWigGfvq5GDhOzNwdB3vIuo9BNL1x+CY/navy6zg7/hj/hNxW58b
         /R8gzlGkQxXVX10H6h5Hvvqc9fchB1G3CoHSKgt04iogRZj3VeF7zutVGVh2AHEcnGy8
         K5vw==
X-Forwarded-Encrypted: i=1;
 AFNElJ/mBYL8DTiXruH4DCsuZWdtj34bxKpuX8xFYGEOKvoeozQAS9BurUQh3bLaw3wZPPpYZWKd6bsC/kt14L0=@vger.kernel.org
X-Gm-Message-State: AOJu0Yye4BofG8h/QQbYN+wsrQff/X4G2I+4Rd17PppkFcMYYsSLrx2p
	Ke0EzN6GyAVE1WRw/dN4rAFdAMd6Qg8GFo4fhc8SiF22d3IudJ7SHSFe
X-Gm-Gg: Acq92OGcGAPooP5dyB/i8itFD3EnKNaEAT/MchMEnWTTMmvUuDwXGMob9yxJF34qroh
	9IUh1WCUpQSF2O0GeIc32hNiJSgZprWGcq82KV7xwm3RPcfmCmS4h3Cd5Dj5VmfE4of7sOzvZgF
	iNbmetiZwy7pJSS2GdnUrdLlPV9FzXkj9NiVH9o6Or+bHMMESrnOcAVmArCBSyIzghj5vBcUzMT
	NLALqWUBbq/Nmm9aAAhfQZHUYJQ8j/deru5mpEl7ceIedImhe8KC94r2tFVmegEAZaDW4Tih0xc
	8ViNK8xDnBjMEaU1xd0v5prt8waL4vI3eJAzLpXSjoTLuewqwatg+oc8Ca4zbHVeMzINEuYyCMs
	/Kql9Kps6LdX+h3bpb1O6QAEyMGDQ+UeNynneqduGZvEudoAXu3X0L9XycPNYU9a9v99Ue9nlKA
	ayq/FSu/JMVg/3HPBbK8xMxYn4P2taaaIP6YFE4WegzZc3GZm6rU0No9xJPK4=
X-Received: by 2002:a17:903:38d0:b0:2bd:ba75:81c4 with SMTP id
 d9443c01a7336-2c1e7b150a9mr267590715ad.13.1781022700012;
        Tue, 09 Jun 2026 09:31:40 -0700 (PDT)
Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2c16629d042sm227710195ad.60.2026.06.09.09.31.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 09:31:39 -0700 (PDT)
From: Maoyi Xie <maoyixie.tju@gmail.com>
To: "David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: David Ahern <dsahern@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Xiao Liang <shaw.leon@gmail.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH net v4 6/7] net: ip6_vti: require CAP_NET_ADMIN in the device
 netns for changelink
Date: Wed, 10 Jun 2026 00:31:09 +0800
Message-Id: <20260609163110.1717419-7-maoyixie.tju@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
References: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

vti6_changelink() rewrites the tunnel in its creation netns. After an
IFLA_NET_NS_FD migration that netns is not the caller's, but the rtnl
changelink path only checks CAP_NET_ADMIN against the caller's netns. A
caller with caps only in its current netns can then rewrite a tunnel in
another netns and pick its endpoint addresses.

Gate the op on net_admin_capable() at its top, before any attribute is
parsed. The check is skipped when the tunnel netns is the device's
current netns, where the rtnl path already checked the cap.

Reported-by: Xiao Liang <shaw.leon@gmail.com>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=3D87_CPjP=
VsTHbq905k8A+BuUg@mail.gmail.com/
Fixes: 11b326fb0a37 ("ip6: vti: Use ip6_tnl.net in vti6_changelink().")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 net/ipv6/ip6_vti.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index df793c8bfffb..ec82626363f7 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -1044,6 +1044,9 @@ static int vti6_changelink(struct net_device *dev, st=
ruct nlattr *tb[],
 	struct __ip6_tnl_parm p;
 	struct vti6_net *ip6n;
=20
+	if (!net_admin_capable(net, dev_net(dev)))
+		return -EPERM;
+
 	ip6n =3D net_generic(net, vti6_net_id);
 	if (dev =3D=3D ip6n->fb_tnl_dev)
 		return -EINVAL;
--=20
2.34.1
From nobody Wed Jun 10 12:12:19 2026
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com
 [209.85.214.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D7D44A13B4
	for <linux-kernel@vger.kernel.org>; Tue,  9 Jun 2026 16:31:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781022706; cv=none;
 b=GrdIQ/nhSiZSFvNfE/8BRDGfGVDSK1ZNu3xXqLIMctqV1TnObBlNrwHuOEZgroEJKwYIiu6HDdCg2/YSNPfg/PfAoxT19/6i5ppcnUwK2FHJ6JJ4rvSHfXuhtl4hCY8exbeWL7F1q6h99UJ7gW27fBf5eERnZvCejG7qQefZqzU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781022706; c=relaxed/simple;
	bh=zgI4NC9pKO7UMNWYBik+NAFMUiFlDyGaDAxNKkRk7eA=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=HUk0ySSf11a5gG9MVpROyuh3yFUFSFrAbz0ZIQBAGiFMmw5aH8TH8DhJP2jUUIo+5vBjIotO9hFj+bvzEK/S31f6kZH2uere9GCUkNvk3RAV8OS6HrTLiqsXChSLpBTF4I0xznZgQ+ZzUIqag+1bRY79K3NSh0zDhpYsokW76fI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=W3urr+00; arc=none smtp.client-ip=209.85.214.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="W3urr+00"
Received: by mail-pl1-f181.google.com with SMTP id
 d9443c01a7336-2c0c2d792c8so38835565ad.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 09 Jun 2026 09:31:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1781022704; x=1781627504;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=M5U7wZVwHyltBjwcbHNRkOqRDWQCG1C1EbQOzCQU3Qg=;
        b=W3urr+00Sbw0wxX5OumE1wv58gXAcp3q1WiLrk9Bjt1cMM8WE0OmqjQsrWG3hURRcO
         W8tD7ihqLj/eFvD6spSjCgVbhyINIULjj5D0FVoznCSFIKrUQW+RzOf5jHawrdWlflay
         7ZShyF/RcSOo4IIw8UqPKnqlkiSDeBRj+NC03AzRVgcKCtQvOPBSE8+5atVad7ZcPeIm
         RaaEhJbEWWuvSia9Uji31n43UlQR4tx9/CQ+OwUj56l0IH3VxIwccz7s0Qj/ngDyuJFT
         v7J1KXuV+rVeJAaDjutp8AvvfdJd/B48XB9P9ASRaki2bXKVAdyEdJLqz2XbmYjMrqlY
         o1bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781022704; x=1781627504;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=M5U7wZVwHyltBjwcbHNRkOqRDWQCG1C1EbQOzCQU3Qg=;
        b=O9QXFDORxYP8iW3TWg2EdeWe+DV/qz/0fdC57awrn7cNf9i6MT11zMFwD0fTVDKqqf
         d9wL3CXAd8uTmqzbUx6Cn0Nlcn58nJ7rZYPy8PRe7WRlPLkArHGBAVF/OCbIMGpqwwyy
         oEUdZwXztTqoWLkov12S2wjLqzVBsNI+4UDl/UcstFcXs5gYxUThZWDoMzLNOHSY16yI
         vKqpfKuzsG0vOl+y7UPRN7D2jw/wQtBRpqZfxEe7K6y1Fpid7fp5lIV8qXjobFDL5gIf
         zck9HGuBFrWgrQnp1GLu49GBB38MLi/5UnDxLIZRIAZqIRthLHw8Fq2iXqbJONBvADal
         XebA==
X-Forwarded-Encrypted: i=1;
 AFNElJ+nhlHgiMuoYs6M/1OYastcE0/fh57mF2NYF16POeAvCMH8mssqKPwY0tTzPKdM8lZuZ26zuuZVzmvwwwA=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx3AOyVGVfu7bQH1JS0oYpTbwAvwJKcJwgNx5t2LSC+fBaAJJFK
	NeMgafI3Bvf1lMOR4or9Spv8yrHhgmCvyX1fdtWvya1QnDDFJcP1Qju9
X-Gm-Gg: Acq92OGpJI5AQhpc3iDelfYH+uU67vF6g92QE2gXwio4aLHJZI+OdF4EAEtGUIuU72a
	2CP89pcTXz7uP7YrUyqEn3yKElrPNlQv4OcpUfcX8tz9/lZbedXkeQCHozl7R1rBLpFFQZdU2m6
	kS5xLl22VB+1I8z9d6JYxPz0SVvPxNWsHgvCP4OiGfgFoI2Yrr+qF48zUgGHnOfZ7QEbObmOPc2
	yjvQ/Bh/FWqkJLjJSxQWp1dH6yEfGt88DyGYfXOJypprHdkXT85RQII2X4aO8CWi4n50SaGgN5S
	S4v7s4IGojqr5wK1NSgOnb+5fYp5rgeQdgBE4LrE+B8ZijlZjdjcpLUjAHYVQ7UNo29ZWmvvFgj
	7aN2jAOYTU7Ql8sCTsl4HXSQyzirlqtWGNcy0QiKPzgvvixWYlVhTJFy4AqHT0e0pck3wfXsTuQ
	ErRohtqSwCFno3bg7HQbb5zNdaKjbfRjiUVG7NXyRVMv+0CjlTbtginXSYGAupVlwT4SgTxA==
X-Received: by 2002:a17:903:4407:b0:2c1:d49c:8398 with SMTP id
 d9443c01a7336-2c1e78df934mr242762885ad.8.1781022703723;
        Tue, 09 Jun 2026 09:31:43 -0700 (PDT)
Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2c16629d042sm227710195ad.60.2026.06.09.09.31.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 09:31:43 -0700 (PDT)
From: Maoyi Xie <maoyixie.tju@gmail.com>
To: "David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: David Ahern <dsahern@kernel.org>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	Xiao Liang <shaw.leon@gmail.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH net v4 7/7] xfrm: xfrm_interface: require CAP_NET_ADMIN in the
 device netns for changelink
Date: Wed, 10 Jun 2026 00:31:10 +0800
Message-Id: <20260609163110.1717419-8-maoyixie.tju@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
References: <20260609163110.1717419-1-maoyixie.tju@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

xfrmi_changelink() rewrites the interface in its creation netns. After an
IFLA_NET_NS_FD migration that netns is not the caller's, but the rtnl
changelink path only checks CAP_NET_ADMIN against the caller's netns. A
caller with caps only in its current netns can then rewrite an interface
in another netns.

Gate the op on net_admin_capable() at its top, before any attribute is
parsed. The check is skipped when the interface netns is the device's
current netns, where the rtnl path already checked the cap.

Reported-by: Xiao Liang <shaw.leon@gmail.com>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=3D87_CPjP=
VsTHbq905k8A+BuUg@mail.gmail.com/
Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 net/xfrm/xfrm_interface_core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_interface_core.c b/net/xfrm/xfrm_interface_core.c
index 330a05286a56..8fd3842d20c2 100644
--- a/net/xfrm/xfrm_interface_core.c
+++ b/net/xfrm/xfrm_interface_core.c
@@ -869,6 +869,9 @@ static int xfrmi_changelink(struct net_device *dev, str=
uct nlattr *tb[],
 	struct net *net =3D xi->net;
 	struct xfrm_if_parms p =3D {};
=20
+	if (!net_admin_capable(net, dev_net(dev)))
+		return -EPERM;
+
 	xfrmi_netlink_parms(data, &p);
 	if (!p.if_id) {
 		NL_SET_ERR_MSG(extack, "if_id must be non zero");
--=20
2.34.1