[PATCH net v5 3/7] net: ip_vti: require CAP_NET_ADMIN in the device netns for changelink

Next message: Maoyi Xie: "[PATCH net v5 4/7] net: ip6_tunnel: require CAP_NET_ADMIN in the device netns for changelink"
Previous message: Maoyi Xie: "[PATCH net v5 2/7] net: ipip: require CAP_NET_ADMIN in the device netns for changelink"
In reply to: Kuniyuki Iwashima: "Re: [PATCH net v5 2/7] net: ipip: require CAP_NET_ADMIN in the device netns for changelink"
Next in thread: Kuniyuki Iwashima: "Re: [PATCH net v5 3/7] net: ip_vti: require CAP_NET_ADMIN in the device netns for changelink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Maoyi Xie

Date: Thu Jun 11 2026 - 02:31:05 EST

vti_changelink() operates on at most two netns, dev_net(dev) and the
tunnel link netns t->net. They differ once the device is created in or
moved to a netns other than the one the request runs in. The rtnl
changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a
caller privileged there but not in t->net can rewrite a tunnel that
lives in t->net.

Gate vti_changelink() on rtnl_dev_link_net_capable() at its top,
before any attribute is parsed.

Reported-by: Xiao Liang <shaw.leon@xxxxxxxxx>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@xxxxxxxxxxxxxx/
Fixes: d0f418516022 ("net, ip_tunnel: fix namespaces move")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>
---
net/ipv4/ip_vti.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 95b6bb78fcd2..3b80929994a0 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -596,6 +596,9 @@ static int vti_changelink(struct net_device *dev, struct nlattr *tb[],
struct ip_tunnel_parm_kern p;
__u32 fwmark = t->fwmark;

+ if (!rtnl_dev_link_net_capable(dev, t->net))
+ return -EPERM;
+
vti_netlink_parms(data, &p, &fwmark);
return ip_tunnel_changelink(dev, tb, &p, fwmark);
}
--
2.34.1