Re: [PATCH net] rtnetlink: Require CAP_NET_ADMIN in link netns for changelink.

Next message: Jonathan Cameron: "Re: [PATCH v2] counter: interrupt-cnt: use devm_mutex_init()"
Previous message: Jonathan Cameron: "Re: [PATCH v4 7/9] iio: core: Add IIO_COVERAGE channel type"
In reply to: Maoyi Xie: "Re: [PATCH net] rtnetlink: Require CAP_NET_ADMIN in link netns for changelink."
Next in thread: Maoyi Xie: "Re: [PATCH net] rtnetlink: Require CAP_NET_ADMIN in link netns for changelink."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kuniyuki Iwashima

Date: Wed May 27 2026 - 12:57:34 EST

On Wed, May 27, 2026 at 2:43 AM Maoyi Xie <maoyixie.tju@xxxxxxxxx> wrote:
>
> Hi Kuniyuki,
>
> Thanks for looking.
>
> > Do all other callers of ->get_link_net(), dev_get_iflink_dev()
> > and batadv_getlink_net(), require the same capability check ?
>
> No. Those are read paths.

See how netif_change_proto_down() uses dev_get_iflink_dev().

> get_link_net feeds IFLA_LINK_NETNSID, the
> iflink lookup feeds IFLA_LINK, and batadv_getlink_net resolves a hard
> interface's parent netns. None of them mutates state, so none needs a
> capability check.
>
> But your question points at a real problem in my patch. get_link_net
> is the wrong gate. For the ip tunnels and xfrmi it returns t->net, the
> netns changelink mutates, so the check is right there. For peer types
> like netkit and veth it returns the peer netns instead. netkit has a
> changelink, and its peer usually lives in another netns. My patch
> would then require CAP_NET_ADMIN in the peer netns for a plain change
> to a netkit device, which netkit does not require today.
>
> So the check belongs in the changelink path of the types that mutate
> t->net, against t->net->user_ns. That mirrors the ioctl side in
> 8b484efd5cb4. I will send a v2 along those lines.
>
> Thanks,
> Maoyi