Re: [PATCH net v5 3/7] net: ip_vti: require CAP_NET_ADMIN in the device netns for changelink

Next message: Xu Yang: "Re: [PATCH v4 1/3] device property: fix infinite loop in fwnode_for_each_child_node()"
Previous message: David Hildenbrand (Arm): "Re: [PATCH] mm/gup_test: fix race with PIN_LONGTERM_TEST ioctls"
In reply to: Maoyi Xie: "[PATCH net v5 3/7] net: ip_vti: require CAP_NET_ADMIN in the device netns for changelink"
Next in thread: Maoyi Xie: "[PATCH net v5 4/7] net: ip6_tunnel: require CAP_NET_ADMIN in the device netns for changelink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kuniyuki Iwashima

Date: Fri Jun 12 2026 - 02:49:25 EST

On Wed, Jun 10, 2026 at 11:28 PM Maoyi Xie <maoyixie.tju@xxxxxxxxx> wrote:
>
> vti_changelink() operates on at most two netns, dev_net(dev) and the
> tunnel link netns t->net. They differ once the device is created in or
> moved to a netns other than the one the request runs in. The rtnl
> changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a
> caller privileged there but not in t->net can rewrite a tunnel that
> lives in t->net.
>
> Gate vti_changelink() on rtnl_dev_link_net_capable() at its top,
> before any attribute is parsed.
>
> Reported-by: Xiao Liang <shaw.leon@xxxxxxxxx>
> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@xxxxxxxxxxxxxx/
> Fixes: d0f418516022 ("net, ip_tunnel: fix namespaces move")

Wrong tag again..

Fixes: 895de9a3488a ("vti4: Enable namespace changing")

> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>

Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>