[PATCH net v4 7/7] xfrm: xfrm_interface: require CAP_NET_ADMIN in the device... | netdev

[PATCH net v4 0/7] net: require CAP_NET_ADMIN in the device netns for tunnel changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 1/7] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 2/7] net: ipip: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 3/7] net: ip_vti: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 4/7] net: ip6_tunnel: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 5/7] net: ip6_gre: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 6/7] net: ip6_vti: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09
[PATCH net v4 7/7] xfrm: xfrm_interface: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-09

DORMANTno replies

[PATCH net v4 7/7] xfrm: xfrm_interface: require CAP_NET_ADMIN in the device netns for changelink

From: Maoyi Xie <hidden>
Date: 2026-06-09 16:31:44
Also in: lkml, stable
Subsystem: networking [general], networking [ipsec], the rest · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Steffen Klassert, Herbert Xu, Linus Torvalds

xfrmi_changelink() rewrites the interface in its creation netns. After an
IFLA_NET_NS_FD migration that netns is not the caller's, but the rtnl
changelink path only checks CAP_NET_ADMIN against the caller's netns. A
caller with caps only in its current netns can then rewrite an interface
in another netns.

Gate the op on net_admin_capable() at its top, before any attribute is
parsed. The check is skipped when the interface netns is the device's
current netns, where the rtnl path already checked the cap.

Reported-by: Xiao Liang <redacted>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/ (local)
Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <redacted>
---
 net/xfrm/xfrm_interface_core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_interface_core.c b/net/xfrm/xfrm_interface_core.c
index 330a05286a56..8fd3842d20c2 100644
--- a/net/xfrm/xfrm_interface_core.c
+++ b/net/xfrm/xfrm_interface_core.c

@@ -869,6 +869,9 @@ static int xfrmi_changelink(struct net_device *dev, struct nlattr *tb[],
 	struct net *net = xi->net;
 	struct xfrm_if_parms p = {};
 
+	if (!net_admin_capable(net, dev_net(dev)))
+		return -EPERM;
+
 	xfrmi_netlink_parms(data, &p);
 	if (!p.if_id) {
 		NL_SET_ERR_MSG(extack, "if_id must be non zero");

-- 
2.34.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help