RE: [PATCH net v3 1/3] tipc: require net admin for TIPCv2 netlink mutators

[Tung Quang Nguyen]

>Subject: [PATCH net v3 1/3] tipc: require net admin for TIPCv2 netlink mutators
>
>TIPCv2 registers mutating generic-netlink operations without admin permission
>flags. Generic netlink only checks CAP_NET_ADMIN when an operation sets
>GENL_ADMIN_PERM or GENL_UNS_ADMIN_PERM, so a local unprivileged
>process can currently change TIPC state through commands such as
>TIPC_NL_NET_SET, TIPC_NL_KEY_SET, TIPC_NL_KEY_FLUSH, and bearer
>enable/disable.
>
>The legacy TIPC netlink API already checks netlink_net_capable(...,
>CAP_NET_ADMIN) for administrative commands. Give the TIPCv2 mutators the
>equivalent generic-netlink gate. Use GENL_UNS_ADMIN_PERM for network-
>namespace scoped operations and GENL_ADMIN_PERM for
>TIPC_NL_MEDIA_SET, which updates the shared media defaults rather than
>state owned only by the target network namespace.

Given the legacy TIPC netlink uses netlink_net_capable(), we should keep the same behavior
for TIPC netlink (i.e, not using GENL_ADMIN_PERM) to better support user namespaces or containers.

>
>A QEMU/KASAN repro run as uid/gid 65534 with zero effective capabilities
>previously succeeded in changing the network id and node identity, setting and
>flushing key material, and enabling/disabling a UDP bearer. With this patch
>applied the same operations fail with -EPERM.
>
>Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api")
>Link: https://lore.kernel.org/all/20260604163102.2658553-1-
>dominik.czarnota@xxxxxxxxxxxxxxx/
>Assisted-by: Codex:gpt-5-5-xhigh
>Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
>---
>v2:
>- Use GENL_ADMIN_PERM for TIPC_NL_MEDIA_SET because it updates global
>  media defaults, while keeping GENL_UNS_ADMIN_PERM for netns-scoped
>  mutators.
>
> net/tipc/netlink.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
>diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c index
>1a9a5bdaccf4f..5bbe134284acc 100644
>--- a/net/tipc/netlink.c
>+++ b/net/tipc/netlink.c
>@@ -152,11 +152,13 @@ static const struct genl_ops tipc_genl_v2_ops[] = {
> 	{
> 		.cmd	= TIPC_NL_BEARER_DISABLE,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_UNS_ADMIN_PERM,
> 		.doit	= tipc_nl_bearer_disable,
> 	},
> 	{
> 		.cmd	= TIPC_NL_BEARER_ENABLE,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_UNS_ADMIN_PERM,
> 		.doit	= tipc_nl_bearer_enable,
> 	},
> 	{
>@@ -168,11 +170,13 @@ static const struct genl_ops tipc_genl_v2_ops[] = {
> 	{
> 		.cmd	= TIPC_NL_BEARER_ADD,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_UNS_ADMIN_PERM,
> 		.doit	= tipc_nl_bearer_add,
> 	},
> 	{
> 		.cmd	= TIPC_NL_BEARER_SET,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_UNS_ADMIN_PERM,
> 		.doit	= tipc_nl_bearer_set,
> 	},
> 	{
>@@ -197,11 +201,13 @@ static const struct genl_ops tipc_genl_v2_ops[] = {
> 	{
> 		.cmd	= TIPC_NL_LINK_SET,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_UNS_ADMIN_PERM,
> 		.doit	= tipc_nl_node_set_link,
> 	},
> 	{
> 		.cmd	= TIPC_NL_LINK_RESET_STATS,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_UNS_ADMIN_PERM,
> 		.doit   = tipc_nl_node_reset_link_stats,
> 	},
> 	{
>@@ -213,6 +219,7 @@ static const struct genl_ops tipc_genl_v2_ops[] = {
> 	{
> 		.cmd	= TIPC_NL_MEDIA_SET,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_ADMIN_PERM,
> 		.doit	= tipc_nl_media_set,
> 	},
> 	{
>@@ -228,6 +235,7 @@ static const struct genl_ops tipc_genl_v2_ops[] = {
> 	{
> 		.cmd	= TIPC_NL_NET_SET,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_UNS_ADMIN_PERM,
> 		.doit	= tipc_nl_net_set,
> 	},
> 	{
>@@ -238,6 +246,7 @@ static const struct genl_ops tipc_genl_v2_ops[] = {
> 	{
> 		.cmd	= TIPC_NL_MON_SET,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_UNS_ADMIN_PERM,
> 		.doit	= tipc_nl_node_set_monitor,
> 	},
> 	{
>@@ -255,6 +264,7 @@ static const struct genl_ops tipc_genl_v2_ops[] = {
> 	{
> 		.cmd	= TIPC_NL_PEER_REMOVE,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_UNS_ADMIN_PERM,
> 		.doit	= tipc_nl_peer_rm,
> 	},
> #ifdef CONFIG_TIPC_MEDIA_UDP
>@@ -269,11 +279,13 @@ static const struct genl_ops tipc_genl_v2_ops[] = {
> 	{
> 		.cmd	= TIPC_NL_KEY_SET,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_UNS_ADMIN_PERM,
> 		.doit	= tipc_nl_node_set_key,
> 	},
> 	{
> 		.cmd	= TIPC_NL_KEY_FLUSH,
> 		.validate = GENL_DONT_VALIDATE_STRICT |
>GENL_DONT_VALIDATE_DUMP,
>+		.flags	= GENL_UNS_ADMIN_PERM,
> 		.doit	= tipc_nl_node_flush_key,
> 	},
> #endif
>--
>2.53.0
>