Re: [PATCH net v5 6/7] net: ip6_vti: require CAP_NET_ADMIN in the device netns for changelink

Next message: tabba: "[PATCH v1 11/11] KVM: arm64: Implement lazy vCPU state sync for non-protected guests"
Previous message: tabba: "[PATCH v1 10/11] KVM: arm64: Add primitives to flush/sync the VGIC state at EL2"
In reply to: Maoyi Xie: "[PATCH net v5 6/7] net: ip6_vti: require CAP_NET_ADMIN in the device netns for changelink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kuniyuki Iwashima

Date: Fri Jun 12 2026 - 03:01:31 EST

On Wed, Jun 10, 2026 at 11:28 PM Maoyi Xie <maoyixie.tju@xxxxxxxxx> wrote:
>
> vti6_changelink() operates on at most two netns, dev_net(dev) and the
> tunnel link netns t->net. They differ once the device is created in or
> moved to a netns other than the one the request runs in. The rtnl
> changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a
> caller privileged there but not in t->net can rewrite a tunnel that
> lives in t->net.
>
> Gate vti6_changelink() on rtnl_dev_link_net_capable() at its top,
> before any attribute is parsed.
>
> Reported-by: Xiao Liang <shaw.leon@xxxxxxxxx>
> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@xxxxxxxxxxxxxx/
> Fixes: 11b326fb0a37 ("ip6: vti: Use ip6_tnl.net in vti6_changelink().")

Wrong tag again.. :/

Fixes: 61220ab34948 ("vti6: Enable namespace changing")

> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>

Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>