[PATCH net v6 6/7] net: ip6_vti: require CAP_NET_ADMIN in the device netns... | netdev

[PATCH net v6 0/7] net: require CAP_NET_ADMIN in the device netns for tunnel changelink · Maoyi Xie <hidden> · 2026-06-12
[PATCH net v6 1/7] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-12
[PATCH net v6 2/7] net: ipip: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-12
[PATCH net v6 3/7] net: ip_vti: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-12
[PATCH net v6 4/7] net: ip6_tunnel: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-12
[PATCH net v6 5/7] net: ip6_gre: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-12
[PATCH net v6 6/7] net: ip6_vti: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-12
[PATCH net v6 7/7] xfrm: xfrm_interface: require CAP_NET_ADMIN in the device netns for changelink · Maoyi Xie <hidden> · 2026-06-12
Re: [PATCH net v6 0/7] net: require CAP_NET_ADMIN in the device netns for tunnel changelink · patchwork-bot+netdevbpf@kernel.org · 2026-06-18

COOLING6d REVIEWED: 3 (3M)

Revisions (3)

2026-06-09 v4 [diff vs current]
2026-06-11 v5 [diff vs current]
2026-06-12 v6 current

[PATCH net v6 6/7] net: ip6_vti: require CAP_NET_ADMIN in the device netns for changelink

From: Maoyi Xie <hidden>
Date: 2026-06-12 09:00:12
Also in: lkml, stable
Subsystem: networking [general], networking [ipsec], networking [ipv4/ipv6], the rest · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Steffen Klassert, Herbert Xu, David Ahern, Ido Schimmel, Linus Torvalds

vti6_changelink() operates on at most two netns, dev_net(dev) and the
tunnel link netns t->net. They differ once the device is created in or
moved to a netns other than the one the request runs in. The rtnl
changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a
caller privileged there but not in t->net can rewrite a tunnel that
lives in t->net.

Gate vti6_changelink() on rtnl_dev_link_net_capable() at its top,
before any attribute is parsed.

Reported-by: Xiao Liang <redacted>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/ (local)
Fixes: 61220ab34948 ("vti6: Enable namespace changing")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <redacted>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
---
 net/ipv6/ip6_vti.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index d871cab6938d..ab94b3a4ba9c 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c

@@ -1046,6 +1046,9 @@ static int vti6_changelink(struct net_device *dev, struct nlattr *tb[],
 	struct __ip6_tnl_parm p;
 	struct vti6_net *ip6n;
 
+	if (!rtnl_dev_link_net_capable(dev, net))
+		return -EPERM;
+
 	ip6n = net_generic(net, vti6_net_id);
 	if (dev == ip6n->fb_tnl_dev)
 		return -EINVAL;

-- 
2.34.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help