[PATCH net v4 3/7] net: ip_vti: require CAP_NET_ADMIN in the device netns... | netdev

[PATCH net v4 0/7] net: require CAP_NET_ADMIN in the device netns for tunnel changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 1/7] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
Re: [PATCH net v4 1/7] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink · Kuniyuki Iwashima <kuniyu@google.com> · 2026-06-11
[PATCH net v4 2/7] net: ipip: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 3/7] net: ip_vti: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 4/7] net: ip6_tunnel: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 5/7] net: ip6_gre: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 6/7] net: ip6_vti: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 7/7] xfrm: xfrm_interface: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09

WARM1d

Revisions (3)

2026-06-09 v4 current
2026-06-11 v5 [diff vs current]
2026-06-12 v6 [diff vs current]

[PATCH net v4 3/7] net: ip_vti: require CAP_NET_ADMIN in the device netns for changelink

From: Maoyi Xie <hidden>
Date: 2026-06-09 16:31:29
Also in: lkml, stable
Subsystem: networking [general], networking [ipsec], networking [ipv4/ipv6], the rest · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Steffen Klassert, Herbert Xu, David Ahern, Ido Schimmel, Linus Torvalds

vti_changelink() rewrites the tunnel in its creation netns. After an
IFLA_NET_NS_FD migration that netns is not the caller's, but the rtnl
changelink path only checks CAP_NET_ADMIN against the caller's netns. A
caller with caps only in its current netns can then rewrite a tunnel in
another netns and pick its endpoint addresses.

Gate the op on net_admin_capable() at its top, before any attribute is
parsed. The check is skipped when the tunnel netns is the device's
current netns, where the rtnl path already checked the cap.

Reported-by: Xiao Liang <redacted>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/ (local)
Fixes: d0f418516022 ("net, ip_tunnel: fix namespaces move")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <redacted>
---
 net/ipv4/ip_vti.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 95b6bb78fcd2..55ec52bc5db0 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c

@@ -596,6 +596,9 @@ static int vti_changelink(struct net_device *dev, struct nlattr *tb[],
 	struct ip_tunnel_parm_kern p;
 	__u32 fwmark = t->fwmark;
 
+	if (!net_admin_capable(t->net, dev_net(dev)))
+		return -EPERM;
+
 	vti_netlink_parms(data, &p, &fwmark);
 	return ip_tunnel_changelink(dev, tb, &p, fwmark);
 }

-- 
2.34.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help