Re: [PATCH net v3] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls

[하태구]

Hello,

Yes, I have a QEMU-based PoC and validation log for the current patch.

The reproducer starts as an unprivileged uid, verifies that open("/dev/ppp")
fails before CLONE_NEWUSER, then creates only a new user namespace while
keeping the same network namespace, and finally attempts PPPIOCNEWUNIT.

With the current patch applied, the original userns-only inherited-netns path
is blocked as expected. In the same network namespace, open("/dev/ppp") still
succeeds after CLONE_NEWUSER, but PPPIOCNEWUNIT now fails with EPERM.

Relevant log lines from my current QEMU run:

    [*] initial netns ino=4026531833
    [*] dropped to uid=65534 gid=65534 before userns
    [*] open(/dev/ppp) before userns failed as expected: Operation not permitted
    [*] after userns-only unshare netns ino=4026531833
    [*] now uid=0 gid=65534 in new userns
    [*] open(/dev/ppp) after userns succeeded
    ioctl(PPPIOCNEWUNIT): Operation not permitted

I am attaching:
- the minimal guest reproducer used in QEMU
- the guest serial log from the current patched run

Thanks,
Taegu Ha
hataegu0826@xxxxxxxxx

2026년 4월 9일 (목) 오후 4:12, Taegu Ha <hataegu0826@xxxxxxxxx>님이 작성:
>
> /dev/ppp open is currently authorized against file->f_cred->user_ns,
> while unattached administrative ioctls operate on current->nsproxy->net_ns.
>
> As a result, a local unprivileged user can create a new user namespace
> with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace,
> and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against
> an inherited network namespace.
>
> Require CAP_NET_ADMIN in the user namespace that owns the target network
> namespace before handling unattached PPP administrative ioctls.
>
> This preserves normal pppd operation in the network namespace it is
> actually privileged in, while rejecting the userns-only inherited-netns
> case.
>
> Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
> Signed-off-by: Taegu Ha <hataegu0826@xxxxxxxxx>
> ---
>  drivers/net/ppp/ppp_generic.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
> index e9b41777be80..c2024684b10d 100644
> --- a/drivers/net/ppp/ppp_generic.c
> +++ b/drivers/net/ppp/ppp_generic.c
> @@ -1057,6 +1057,9 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf,
>         struct ppp_net *pn;
>         int __user *p = (int __user *)arg;
>
> +       if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
> +               return -EPERM;
> +
>         switch (cmd) {
>         case PPPIOCNEWUNIT:
>                 /* Create a new ppp unit */
> --
> 2.43.0
>

Attachment: ppp_v3_validation.log
Description: Binary data

Attachment: ppp_poc_init_v3.c
Description: Binary data