Re: [PATCH net v5 7/7] xfrm: xfrm_interface: require CAP_NET_ADMIN in the device netns for changelink

Next message: tabba: "[PATCH v1 04/11] KVM: arm64: Extract MPIDR computation into a shared header"
Previous message: tabba: "[PATCH v1 03/11] KVM: arm64: Use guard()/scoped_guard() in arm64 KVM EL1 code"
In reply to: Maoyi Xie: "[PATCH net v5 7/7] xfrm: xfrm_interface: require CAP_NET_ADMIN in the device netns for changelink"
Next in thread: Maoyi Xie: "[PATCH net v5 2/7] net: ipip: require CAP_NET_ADMIN in the device netns for changelink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kuniyuki Iwashima

Date: Fri Jun 12 2026 - 03:03:27 EST

On Wed, Jun 10, 2026 at 11:28 PM Maoyi Xie <maoyixie.tju@xxxxxxxxx> wrote:
>
> xfrmi_changelink() operates on at most two netns, dev_net(dev) and the
> interface link netns xi->net. They differ once the device is created in
> or moved to a netns other than the one the request runs in. The rtnl
> changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a
> caller privileged there but not in xi->net can rewrite an interface that
> lives in xi->net.
>
> Gate xfrmi_changelink() on rtnl_dev_link_net_capable() at its top,
> before any attribute is parsed.
>
> Reported-by: Xiao Liang <shaw.leon@xxxxxxxxx>
> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@xxxxxxxxxxxxxx/
> Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>

Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>