Re: [PATCH net v5 1/7] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink

[Kuniyuki Iwashima]

On Wed, Jun 10, 2026 at 11:28 PM Maoyi Xie <maoyixie.tju@xxxxxxxxx> wrote:
>
> A tunnel changelink() operates on at most two netns, dev_net(dev) and
> the tunnel link netns t->net. They differ once the device is created in
> or moved to a netns other than the one the request runs in. The rtnl
> changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a
> caller privileged there but not in t->net can rewrite a tunnel that
> lives in t->net.
>
> Add rtnl_dev_link_net_capable() next to rtnl_get_net_ns_capable() in
> net/core/rtnetlink.c. It requires CAP_NET_ADMIN in the link netns and is
> skipped when the link netns is dev_net(dev), where the rtnl path already
> checked it. The other patches in this series use the same helper.
>
> Gate ipgre_changelink() and erspan_changelink() with it, at the top of
> the op before any attribute is parsed, because the parsers update live
> tunnel fields first. ipgre_netlink_parms() sets t->collect_md before
> ip_tunnel_changelink() runs.
>
> Commit 8b484efd5cb4 ("ip6: vti: Use ip6_tnl.net in
> vti6_siocdevprivate().") added the same check on the ioctl path. This
> adds it on RTM_NEWLINK.
>
> Reported-by: Xiao Liang <shaw.leon@xxxxxxxxx>
> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@xxxxxxxxxxxxxx/
> Fixes: d0f418516022 ("net, ip_tunnel: fix namespaces move")

This tag looks wrong, the correct one should be

Fixes: b57708add314 ("gre: add x-netns support")

This also applies to erspan since it shared the code until
e1f8f78ffe985.


> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>

The change itself looks good.

Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>