[PATCH 2/2] smb: client: require GENL_ADMIN_PERM on CIFS_GENL_CMD_SWN_NOTIFY

[Michael Bommarito]

The witness-notify generic-netlink command callback dereferences a
struct cifs_swn_reg looked up by an attacker-supplied registration id,
and the operation entry in cifs_genl_ops[] has no .flags set.
Generic netlink only enforces a capability check when GENL_ADMIN_PERM,
GENL_UNS_ADMIN_PERM, or GENL_OWNER_PERM_CHECK is present on the
operation (net/netlink/genetlink.c).  As written, any local
unprivileged process can send CIFS_SWN_NOTIFICATION_RESOURCE_CHANGE
or CIFS_SWN_NOTIFICATION_CLIENT_MOVE to the in-kernel cifs witness
handler.

The intended sender is the cifs.witness userspace helper, which
runs as root via its systemd unit, so requiring CAP_NET_ADMIN in the
initial user namespace does not break any in-tree consumer.

This patch closes the unprivileged attack surface itself.  The
companion patch ("smb: client: pin tcon across cifs_swn_notify()
mutex drop") closes the lifetime bug exposed by that surface; the
two are independent and both unconditionally beneficial.

Fixes: fed979a7e082 ("cifs: Set witness notification handler for messages from userspace daemon")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
Assisted-by: Claude:claude-opus-4-7
---
 fs/smb/client/netlink.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/smb/client/netlink.c b/fs/smb/client/netlink.c
index 147d9409252cd..acd0cd44a3038 100644
--- a/fs/smb/client/netlink.c
+++ b/fs/smb/client/netlink.c
@@ -33,6 +33,7 @@ static const struct nla_policy cifs_genl_policy[CIFS_GENL_ATTR_MAX + 1] = {
 static const struct genl_ops cifs_genl_ops[] = {
 	{
 		.cmd = CIFS_GENL_CMD_SWN_NOTIFY,
+		.flags = GENL_ADMIN_PERM,
 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
 		.doit = cifs_swn_notify,
 	},
-- 
2.53.0