Re: [PATCH net] rtnetlink: Require CAP_NET_ADMIN in link netns for changelink.

Next message: Alexander Feilke: "[PATCH] ARM: dts: imx7: add nvmem-layout"
Previous message: Geert Uytterhoeven: "Re: [PATCH v6 13/15] sh: cast away constness from the zero page when flushing it from the cache"
In reply to: Kuniyuki Iwashima: "Re: [PATCH net] rtnetlink: Require CAP_NET_ADMIN in link netns for changelink."
Next in thread: Kuniyuki Iwashima: "Re: [PATCH net] rtnetlink: Require CAP_NET_ADMIN in link netns for changelink."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Maoyi Xie

Date: Wed May 27 2026 - 05:43:47 EST

Hi Kuniyuki,

Thanks for looking.

> Do all other callers of ->get_link_net(), dev_get_iflink_dev()
> and batadv_getlink_net(), require the same capability check ?

No. Those are read paths. get_link_net feeds IFLA_LINK_NETNSID, the
iflink lookup feeds IFLA_LINK, and batadv_getlink_net resolves a hard
interface's parent netns. None of them mutates state, so none needs a
capability check.

But your question points at a real problem in my patch. get_link_net
is the wrong gate. For the ip tunnels and xfrmi it returns t->net, the
netns changelink mutates, so the check is right there. For peer types
like netkit and veth it returns the peer netns instead. netkit has a
changelink, and its peer usually lives in another netns. My patch
would then require CAP_NET_ADMIN in the peer netns for a plain change
to a netkit device, which netkit does not require today.

So the check belongs in the changelink path of the types that mutate
t->net, against t->net->user_ns. That mirrors the ioctl side in
8b484efd5cb4. I will send a v2 along those lines.

Thanks,
Maoyi