* [PATCH 6.12.y] net: add missing ns_capable check for peer netns
@ 2026-06-17 8:25 Maximilian Heyne
2026-06-17 8:37 ` sashiko-bot
0 siblings, 1 reply; 2+ messages in thread
From: Maximilian Heyne @ 2026-06-17 8:25 UTC (permalink / raw)
To: stable
Cc: Maximilian Heyne, Marc Kleine-Budde, Vincent Mailhol, Andrew Lunn,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Daniel Borkmann, Nikolay Aleksandrov, Eric W. Biederman,
linux-can, netdev, linux-kernel, bpf
The upstream commit 7b735ef81286 ("rtnetlink: add missing
netlink_ns_capable() check for peer netns") doesn't apply on older
stable kernels due to refactoring. Therefore, this patch is an attempt
to implement the same capability check just directly in the respective
interface types.
Approximate the netlink_ns_capable check with an ns_capable check. As
the newlink operation is synchronous this should result in the same
behavior.
Without this commit, for example, the following command creating a veth
device in network namespace of pid 1 succeeds:
$ unshare -U -r -n -- bash -c '
ip link add veth0 type veth peer name foobar netns 1
sleep 60' &
$ ip link show foobar
13: foobar@if2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 96:09:69:92:92:cc brd ff:ff:ff:ff:ff:ff link-netnsid 1
With this patch, it's returning -EPERM.
This fixes CVE-2026-31692
Cc: stable@vger.kernel.org
Fixes: 81adee47dfb6 ("net: Support specifying the network namespace upon device creation.")
Assisted-by: Kiro:claude
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/net/can/vxcan.c | 5 +++++
drivers/net/netkit.c | 5 +++++
drivers/net/veth.c | 5 +++++
3 files changed, 15 insertions(+)
diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c
index 9e1b7d41005f8..851c93bf0b310 100644
--- a/drivers/net/can/vxcan.c
+++ b/drivers/net/can/vxcan.c
@@ -211,6 +211,11 @@ static int vxcan_newlink(struct net *net, struct net_device *dev,
if (IS_ERR(peer_net))
return PTR_ERR(peer_net);
+ if (!ns_capable(peer_net->user_ns, CAP_NET_ADMIN)) {
+ put_net(peer_net);
+ return -EPERM;
+ }
+
peer = rtnl_create_link(peer_net, ifname, name_assign_type,
&vxcan_link_ops, tbp, extack);
if (IS_ERR(peer)) {
diff --git a/drivers/net/netkit.c b/drivers/net/netkit.c
index fba2c734f0ec7..e0c42fa0c835c 100644
--- a/drivers/net/netkit.c
+++ b/drivers/net/netkit.c
@@ -413,6 +413,11 @@ static int netkit_new_link(struct net *src_net, struct net_device *dev,
if (IS_ERR(net))
return PTR_ERR(net);
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+ put_net(net);
+ return -EPERM;
+ }
+
peer = rtnl_create_link(net, ifname, ifname_assign_type,
&netkit_link_ops, tbp, extack);
if (IS_ERR(peer)) {
diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 77e4b0d1ca557..6ffde7ee2119d 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -1854,6 +1854,11 @@ static int veth_newlink(struct net *src_net, struct net_device *dev,
if (IS_ERR(net))
return PTR_ERR(net);
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+ put_net(net);
+ return -EPERM;
+ }
+
peer = rtnl_create_link(net, ifname, name_assign_type,
&veth_link_ops, tbp, extack);
if (IS_ERR(peer)) {
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH 6.12.y] net: add missing ns_capable check for peer netns
2026-06-17 8:25 [PATCH 6.12.y] net: add missing ns_capable check for peer netns Maximilian Heyne
@ 2026-06-17 8:37 ` sashiko-bot
0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-06-17 8:37 UTC (permalink / raw)
To: Maximilian Heyne
Cc: Vincent Mailhol, Oleksij Rempel, linux-can, bpf, Oliver Hartkopp,
Marc Kleine-Budde
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] The patch approximates `netlink_ns_capable()` with `ns_capable()`, leaving the system vulnerable to a Confused Deputy attack via passed netlink sockets.
--
commit 2a12959cedf2cc9c8b0a31fb916efbc1495579b3
Author: Maximilian Heyne <mheyne@amazon.de>
net: add missing ns_capable check for peer netns
This patch attempts to fix CVE-2026-31692 on older stable kernels by
adding capability checks to vxcan, netkit, and veth when creating peer
interfaces. It replaces the upstream netlink_ns_capable() check with
ns_capable(), relying on the synchronous nature of the newlink operation.
> Approximate the netlink_ns_capable check with an ns_capable check. As
> the newlink operation is synchronous this should result in the same
> behavior.
[Severity: Critical]
Does replacing netlink_ns_capable() with ns_capable() leave the system
vulnerable to a Confused Deputy attack, despite the synchronous behavior?
While the newlink operation is synchronous, ns_capable() only checks the
current thread's capabilities. netlink_ns_capable() also checks the
capabilities of the process that originally opened the netlink socket.
If an unprivileged attacker creates a netlink socket, crafts an RTM_NEWLINK
payload to create a peer interface in a privileged namespace, and passes the
socket file descriptor to a privileged SUID binary, could the SUID binary be
tricked into writing the payload? In this scenario, ns_capable() would see
the SUID binary's CAP_NET_ADMIN and allow the operation, bypassing the
intended security boundary since the unprivileged socket creator's
capabilities are ignored.
> diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c
> index 9e1b7d41005f8..851c93bf0b310 100644
> --- a/drivers/net/can/vxcan.c
> +++ b/drivers/net/can/vxcan.c
[ ... ]
> @@ -211,6 +211,11 @@ static int vxcan_newlink(struct net *net, struct net_device *dev,
> if (IS_ERR(peer_net))
> return PTR_ERR(peer_net);
>
> + if (!ns_capable(peer_net->user_ns, CAP_NET_ADMIN)) {
> + put_net(peer_net);
> + return -EPERM;
> + }
> +
[Severity: Critical]
Does this ns_capable() call in vxcan_newlink() introduce the confused
deputy vulnerability described above?
> peer = rtnl_create_link(peer_net, ifname, name_assign_type,
> &vxcan_link_ops, tbp, extack);
> if (IS_ERR(peer)) {
> diff --git a/drivers/net/netkit.c b/drivers/net/netkit.c
> index fba2c734f0ec7..e0c42fa0c835c 100644
> --- a/drivers/net/netkit.c
> +++ b/drivers/net/netkit.c
[ ... ]
> @@ -413,6 +413,11 @@ static int netkit_new_link(struct net *src_net, struct net_device *dev,
> if (IS_ERR(net))
> return PTR_ERR(net);
>
> + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
> + put_net(net);
> + return -EPERM;
> + }
> +
[Severity: Critical]
Does this ns_capable() call in netkit_new_link() introduce the confused
deputy vulnerability described above?
> peer = rtnl_create_link(net, ifname, ifname_assign_type,
> &netkit_link_ops, tbp, extack);
> if (IS_ERR(peer)) {
> diff --git a/drivers/net/veth.c b/drivers/net/veth.c
> index 77e4b0d1ca557..6ffde7ee2119d 100644
> --- a/drivers/net/veth.c
> +++ b/drivers/net/veth.c
[ ... ]
> @@ -1854,6 +1854,11 @@ static int veth_newlink(struct net *src_net, struct net_device *dev,
> if (IS_ERR(net))
> return PTR_ERR(net);
>
> + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
> + put_net(net);
> + return -EPERM;
> + }
> +
[Severity: Critical]
Does this ns_capable() call in veth_newlink() introduce the confused
deputy vulnerability described above?
> peer = rtnl_create_link(net, ifname, name_assign_type,
> &veth_link_ops, tbp, extack);
> if (IS_ERR(peer)) {
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260617-pats-coif-316245c6@mheyne-amazon?part=1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-17 8:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-17 8:25 [PATCH 6.12.y] net: add missing ns_capable check for peer netns Maximilian Heyne
2026-06-17 8:37 ` sashiko-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox