[PATCH net-next v2 1/2] net: devmem: allow bind-rx from non-init user namespaces
From: Bobby Eshleman <hidden>
Date: 2026-06-03 01:37:54
Also in:
linux-kselftest, lkml
Subsystem:
networking [general], the rest, yaml netlink (ynl) · Maintainers:
"David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds, Donald Hunter
From: Bobby Eshleman <redacted> NETDEV_CMD_BIND_RX is currently GENL_ADMIN_PERM, which checks CAP_NET_ADMIN against init userns. With recent container/netkit/ns support for devmem, other userns/netns use cases come online and require bind-rx to allow CAP_NET_ADMIN in non-init user ns as well. Switch the flag to GENL_UNS_ADMIN_PERM to allow bind-rx for CAP_NET_ADMIN in the netns's owning userns as well. Signed-off-by: Bobby Eshleman <redacted> --- Documentation/netlink/specs/netdev.yaml | 2 +- net/core/netdev-genl-gen.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Documentation/netlink/specs/netdev.yaml b/Documentation/netlink/specs/netdev.yaml
index a1f4c5a561e9..49862b666d7d 100644
--- a/Documentation/netlink/specs/netdev.yaml
+++ b/Documentation/netlink/specs/netdev.yaml@@ -798,7 +798,7 @@ operations: name: bind-rx doc: Bind dmabuf to netdev attribute-set: dmabuf - flags: [admin-perm] + flags: [uns-admin-perm] do: request: attributes:
diff --git a/net/core/netdev-genl-gen.c b/net/core/netdev-genl-gen.c
index c7e138bfe345..d18c89b5a6c7 100644
--- a/net/core/netdev-genl-gen.c
+++ b/net/core/netdev-genl-gen.c@@ -220,7 +220,7 @@ static const struct genl_split_ops netdev_nl_ops[] = { .doit = netdev_nl_bind_rx_doit, .policy = netdev_bind_rx_nl_policy, .maxattr = NETDEV_A_DMABUF_FD, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = NETDEV_CMD_NAPI_SET,
--
2.53.0-Meta