Re: [PATCH net] rtnetlink: Require CAP_NET_ADMIN in link netns for changelink.

[Kuniyuki Iwashima]

On Wed, May 27, 2026 at 12:08 AM Maoyi Xie <maoyixie.tju@xxxxxxxxx> wrote:
>
> Commit 11b326fb0a37 ("ip6: vti: Use ip6_tnl.net in
> vti6_changelink().") made vti6_changelink() and vti6_update()
> mutate the vti6 hash of the device's creation netns. The
> rtnetlink path into changelink never checks CAP_NET_ADMIN
> against that netns. The only capability check on the link netns,
> netlink_ns_capable() against link_net->user_ns, runs solely when
> the RTM_NEWLINK message carries IFLA_LINK_NETNSID. A plain
> "ip link set <name> type vti6 ..." does not carry it.
>
> So an unprivileged user holding a migrated vti6 device can
> rewrite an entry in the creation netns vti6 hash. They pick the
> endpoint addresses. Commit 8b484efd5cb4 ("ip6: vti: Use
> ip6_tnl.net in vti6_siocdevprivate().") already closed the
> SIOCCHGTUNNEL path. This patch closes the RTM_NEWLINK path.
>
> Other link_types are affected too. Any type that publishes
> get_link_net and whose changelink touches t->net has the same
> gap: ipip, gre, sit, ip_vti, ip6_tnl, ip6_gre, xfrm_interface.
>
> Check netlink_ns_capable(CAP_NET_ADMIN) against the device's
> link netns before dispatching to rtnl_changelink(). Types
> without get_link_net are unaffected. The newlink path has long
> checked capability in the link netns. The changelink path never
> did.
>
> Reported-by: Xiao Liang <shaw.leon@xxxxxxxxx>
> Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@xxxxxxxxxxxxxx/
> Fixes: 06615bed60c1 ("net: Verify permission to link_net in newlink")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>
> ---
>  net/core/rtnetlink.c | 20 +++++++++++++++++++-
>  1 file changed, 19 insertions(+), 1 deletion(-)
>
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index df042da422ef..ac7a3bf438d5 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -3969,8 +3969,26 @@ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
>                 dev = NULL;
>         }
>
> -       if (dev)
> +       if (dev) {
> +               /* changelink may mutate the link's creation netns.
> +                * rtnl_link_get_net_capable() above only checked
> +                * tgt_net. When the creation netns differs, also
> +                * require CAP_NET_ADMIN there. Otherwise a migrated
> +                * device lets a caller with caps only in its current
> +                * netns mutate the creation netns.
> +                */
> +               if (dev->rtnl_link_ops && dev->rtnl_link_ops->get_link_net) {
> +                       struct net *dev_link_net;
> +
> +                       dev_link_net = dev->rtnl_link_ops->get_link_net(dev);
> +                       if (!net_eq(dev_link_net, tgt_net) &&
> +                           !netlink_ns_capable(skb, dev_link_net->user_ns,
> +                                               CAP_NET_ADMIN))
> +                               return -EPERM;

Do all other callers of ->get_link_net(), dev_get_iflink_dev()
and batadv_getlink_net(), require the same capability check ?


> +               }
> +
>                 return rtnl_changelink(skb, nlh, ops, dev, tgt_net, tbs, data, extack);
> +       }
>
>         if (!(nlh->nlmsg_flags & NLM_F_CREATE)) {
>                 /* No dev found and NLM_F_CREATE not set. Requested dev does not exist,
> --
> 2.34.1
>