[PATCH rdma-next 0/7] Check CAP_NET_RAW in right namespace

[PATCH rdma-next 0/7] Check CAP_NET_RAW in right namespace

[Leon Romanovsky]

The following series from Parav clears the mud where against which 
namespace the CAP_NET_RAW should be checked.

It is followup of this discussion:
https://lore.kernel.org/all/20250313050832.113030-1-parav@nvidia.com

Thanks

Parav Pandit (7):
  RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create
  RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create
  RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create
  RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create
  RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create
  RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA
    counters
  RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify

 drivers/infiniband/core/core_priv.h           |  2 +-
 drivers/infiniband/core/counters.c            |  2 +-
 drivers/infiniband/core/device.c              | 27 +++++++++++++++++++
 drivers/infiniband/core/nldev.c               |  4 +--
 drivers/infiniband/core/uverbs_cmd.c          | 21 +++++++++------
 drivers/infiniband/core/uverbs_std_types_qp.c |  2 +-
 drivers/infiniband/hw/mlx5/devx.c             |  2 +-
 drivers/infiniband/hw/mlx5/fs.c               |  7 +++--
 include/rdma/ib_verbs.h                       |  2 ++
 9 files changed, 51 insertions(+), 18 deletions(-)

-- 
2.49.0

[PATCH rdma-next 1/7] RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create

[Leon Romanovsky]

From: Parav Pandit <parav@nvidia.com>

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using podman, it fails to create
the flow resource.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: 436f2ad05a0b ("IB/core: Export ib_create/destroy_flow through uverbs")
Signed-off-by: Parav Pandit <parav@nvidia.com>
Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
 drivers/infiniband/core/device.c     | 27 +++++++++++++++++++++++++++
 drivers/infiniband/core/uverbs_cmd.c |  8 +++++---
 include/rdma/ib_verbs.h              |  2 ++
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index 468ed6bd4722..79d8e6fce487 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -145,6 +145,33 @@ bool rdma_dev_access_netns(const struct ib_device *dev, const struct net *net)
 }
 EXPORT_SYMBOL(rdma_dev_access_netns);
 
+/**
+ * rdma_dev_has_raw_cap() - Returns whether a specified rdma device has
+ *			    CAP_NET_RAW capability or not.
+ *
+ * @dev:	Pointer to rdma device whose capability to be checked
+ *
+ * Returns true if a rdma device's owning user namespace has CAP_NET_RAW
+ * capability, otherwise false. When rdma subsystem is in legacy shared network,
+ * namespace mode, the default net namespace is considered.
+ */
+bool rdma_dev_has_raw_cap(const struct ib_device *dev)
+{
+	const struct net *net;
+
+	/* Network namespace is the resource whose user namespace
+	 * to be considered. When in shared mode, there is no reliable
+	 * network namespace resource, so consider the default net namespace.
+	 */
+	if (ib_devices_shared_netns)
+		net = &init_net;
+	else
+		net = read_pnet(&dev->coredev.rdma_net);
+
+	return ns_capable(net->user_ns, CAP_NET_RAW);
+}
+EXPORT_SYMBOL(rdma_dev_has_raw_cap);
+
 /*
  * xarray has this behavior where it won't iterate over NULL values stored in
  * allocated arrays.  So we need our own iterator to see all values stored in
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index bc9fe3ceca4d..08a738a2a1ff 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -3225,9 +3225,6 @@ static int ib_uverbs_ex_create_flow(struct uverbs_attr_bundle *attrs)
 	if (cmd.comp_mask)
 		return -EINVAL;
 
-	if (!capable(CAP_NET_RAW))
-		return -EPERM;
-
 	if (cmd.flow_attr.flags >= IB_FLOW_ATTR_FLAGS_RESERVED)
 		return -EINVAL;
 
@@ -3272,6 +3269,11 @@ static int ib_uverbs_ex_create_flow(struct uverbs_attr_bundle *attrs)
 		goto err_free_attr;
 	}
 
+	if (!rdma_dev_has_raw_cap(uobj->context->device)) {
+		err = -EPERM;
+		goto err_uobj;
+	}
+
 	if (!rdma_is_port_valid(uobj->context->device, cmd.flow_attr.port)) {
 		err = -EINVAL;
 		goto err_uobj;
diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
index 38f68d245fa6..5e70a5cf35c3 100644
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -4864,6 +4864,8 @@ static inline int ibdev_to_node(struct ib_device *ibdev)
 bool rdma_dev_access_netns(const struct ib_device *device,
 			   const struct net *net);
 
+bool rdma_dev_has_raw_cap(const struct ib_device *dev);
+
 #define IB_ROCE_UDP_ENCAP_VALID_PORT_MIN (0xC000)
 #define IB_ROCE_UDP_ENCAP_VALID_PORT_MAX (0xFFFF)
 #define IB_GRH_FLOWLABEL_MASK (0x000FFFFF)
-- 
2.49.0

[PATCH rdma-next 2/7] RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create

[Leon Romanovsky]

From: Parav Pandit <parav@nvidia.com>

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using podman, it fails to create
the QP.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: 2dee0e545894 ("IB/uverbs: Enable QP creation with a given source QP number")
Fixes: 6d1e7ba241e9 ("IB/uverbs: Introduce create/destroy QP commands over ioctl")
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
 drivers/infiniband/core/uverbs_cmd.c          | 11 +++++++----
 drivers/infiniband/core/uverbs_std_types_qp.c |  2 +-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 08a738a2a1ff..84f9bbc781d3 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1312,9 +1312,6 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
 
 	switch (cmd->qp_type) {
 	case IB_QPT_RAW_PACKET:
-		if (!capable(CAP_NET_RAW))
-			return -EPERM;
-		break;
 	case IB_QPT_RC:
 	case IB_QPT_UC:
 	case IB_QPT_UD:
@@ -1330,6 +1327,12 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
 						 &ib_dev);
 	if (IS_ERR(obj))
 		return PTR_ERR(obj);
+
+	if (cmd->qp_type == IB_QPT_RAW_PACKET) {
+		if (!rdma_dev_has_raw_cap(ib_dev))
+			return -EPERM;
+	}
+
 	obj->uxrcd = NULL;
 	obj->uevent.uobject.user_handle = cmd->user_handle;
 	mutex_init(&obj->mcast_lock);
@@ -1451,7 +1454,7 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
 	}
 
 	if (attr.create_flags & IB_QP_CREATE_SOURCE_QPN) {
-		if (!capable(CAP_NET_RAW)) {
+		if (!rdma_dev_has_raw_cap(device)) {
 			ret = -EPERM;
 			goto err_put;
 		}
diff --git a/drivers/infiniband/core/uverbs_std_types_qp.c b/drivers/infiniband/core/uverbs_std_types_qp.c
index 7b4773fa4bc0..3f7bd5702fe4 100644
--- a/drivers/infiniband/core/uverbs_std_types_qp.c
+++ b/drivers/infiniband/core/uverbs_std_types_qp.c
@@ -133,7 +133,7 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)(
 		device = xrcd->device;
 		break;
 	case IB_UVERBS_QPT_RAW_PACKET:
-		if (!capable(CAP_NET_RAW))
+		if (!rdma_dev_has_raw_cap(attrs->context->device))
 			return -EPERM;
 		fallthrough;
 	case IB_UVERBS_QPT_RC:
-- 
2.49.0

[PATCH rdma-next 3/7] RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create

[Leon Romanovsky]

From: Parav Pandit <parav@nvidia.com>

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using podman, it fails to create
the flow.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: 322694412400 ("IB/mlx5: Introduce driver create and destroy flow methods")
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
 drivers/infiniband/hw/mlx5/fs.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/infiniband/hw/mlx5/fs.c b/drivers/infiniband/hw/mlx5/fs.c
index ebcc05f766e1..774239d9efdc 100644
--- a/drivers/infiniband/hw/mlx5/fs.c
+++ b/drivers/infiniband/hw/mlx5/fs.c
@@ -2459,13 +2459,12 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_CREATE_FLOW)(
 	struct mlx5_ib_dev *dev;
 	u32 flags;
 
-	if (!capable(CAP_NET_RAW))
-		return -EPERM;
-
 	fs_matcher = uverbs_attr_get_obj(attrs,
 					 MLX5_IB_ATTR_CREATE_FLOW_MATCHER);
 	uobj =  uverbs_attr_get_uobject(attrs, MLX5_IB_ATTR_CREATE_FLOW_HANDLE);
 	dev = mlx5_udata_to_mdev(&attrs->driver_udata);
+	if (!rdma_dev_has_raw_cap(&dev->ib_dev))
+		return -EPERM;
 
 	if (get_dests(attrs, fs_matcher, &dest_id, &dest_type, &qp, &flags))
 		return -EINVAL;
-- 
2.49.0

[PATCH rdma-next 4/7] RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create

[Leon Romanovsky]

From: Parav Pandit <parav@nvidia.com>

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using podman, it fails to create
the anchor.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: 0c6ab0ca9a66 ("RDMA/mlx5: Expose steering anchor to userspace")
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
 drivers/infiniband/hw/mlx5/fs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/mlx5/fs.c b/drivers/infiniband/hw/mlx5/fs.c
index 774239d9efdc..075d6dacb1cc 100644
--- a/drivers/infiniband/hw/mlx5/fs.c
+++ b/drivers/infiniband/hw/mlx5/fs.c
@@ -2989,7 +2989,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_STEERING_ANCHOR_CREATE)(
 	u32 ft_id;
 	int err;
 
-	if (!capable(CAP_NET_RAW))
+	if (!rdma_dev_has_raw_cap(&dev->ib_dev))
 		return -EPERM;
 
 	err = uverbs_get_const(&ib_uapi_ft_type, attrs,
-- 
2.49.0

[PATCH rdma-next 5/7] RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create

[Leon Romanovsky]

From: Parav Pandit <parav@nvidia.com>

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using podman, it fails to create
the devx object.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: a8b92ca1b0e5 ("IB/mlx5: Introduce DEVX")
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
 drivers/infiniband/hw/mlx5/devx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
index b690b58ec91d..3d2e194dcf8c 100644
--- a/drivers/infiniband/hw/mlx5/devx.c
+++ b/drivers/infiniband/hw/mlx5/devx.c
@@ -159,7 +159,7 @@ int mlx5_ib_devx_create(struct mlx5_ib_dev *dev, bool is_user, u64 req_ucaps)
 	uctx = MLX5_ADDR_OF(create_uctx_in, in, uctx);
 	if (is_user &&
 	    (MLX5_CAP_GEN(dev->mdev, uctx_cap) & MLX5_UCTX_CAP_RAW_TX) &&
-	    capable(CAP_NET_RAW))
+	    rdma_dev_has_raw_cap(&dev->ib_dev))
 		cap |= MLX5_UCTX_CAP_RAW_TX;
 	if (is_user &&
 	    (MLX5_CAP_GEN(dev->mdev, uctx_cap) &
-- 
2.49.0

[PATCH rdma-next 6/7] RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA counters

[Leon Romanovsky]

From: Parav Pandit <parav@nvidia.com>

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: 1bd8e0a9d0fd ("RDMA/counter: Allow manual mode configuration support")
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
 drivers/infiniband/core/counters.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/counters.c b/drivers/infiniband/core/counters.c
index e6ec7b7a40af..c3aa6d7fc66b 100644
--- a/drivers/infiniband/core/counters.c
+++ b/drivers/infiniband/core/counters.c
@@ -461,7 +461,7 @@ static struct ib_qp *rdma_counter_get_qp(struct ib_device *dev, u32 qp_num)
 		return NULL;
 
 	qp = container_of(res, struct ib_qp, res);
-	if (qp->qp_type == IB_QPT_RAW_PACKET && !capable(CAP_NET_RAW))
+	if (qp->qp_type == IB_QPT_RAW_PACKET && !rdma_dev_has_raw_cap(dev))
 		goto err;
 
 	return qp;
-- 
2.49.0

[PATCH rdma-next 7/7] RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify

[Leon Romanovsky]

From: Parav Pandit <parav@nvidia.com>

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using Podman, it fails to modify
the QP.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: 0cadb4db79e1 ("RDMA/uverbs: Restrict usage of privileged QKEYs")
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
 drivers/infiniband/core/core_priv.h  | 2 +-
 drivers/infiniband/core/nldev.c      | 4 ++--
 drivers/infiniband/core/uverbs_cmd.c | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/core/core_priv.h b/drivers/infiniband/core/core_priv.h
index 05102769a918..d0fdf168cd6f 100644
--- a/drivers/infiniband/core/core_priv.h
+++ b/drivers/infiniband/core/core_priv.h
@@ -370,5 +370,5 @@ void rdma_umap_priv_init(struct rdma_umap_priv *priv,
 
 void ib_cq_pool_cleanup(struct ib_device *dev);
 
-bool rdma_nl_get_privileged_qkey(void);
+bool rdma_nl_get_privileged_qkey(const struct ib_device *device);
 #endif /* _CORE_PRIV_H */
diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
index a872643e8039..b444a11be076 100644
--- a/drivers/infiniband/core/nldev.c
+++ b/drivers/infiniband/core/nldev.c
@@ -253,9 +253,9 @@ int rdma_nl_put_driver_u64_hex(struct sk_buff *msg, const char *name, u64 value)
 }
 EXPORT_SYMBOL(rdma_nl_put_driver_u64_hex);
 
-bool rdma_nl_get_privileged_qkey(void)
+bool rdma_nl_get_privileged_qkey(const struct ib_device *device)
 {
-	return privileged_qkey || capable(CAP_NET_RAW);
+	return privileged_qkey || rdma_dev_has_raw_cap(device);
 }
 EXPORT_SYMBOL(rdma_nl_get_privileged_qkey);
 
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 84f9bbc781d3..18a67f054a81 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1880,7 +1880,7 @@ static int modify_qp(struct uverbs_attr_bundle *attrs,
 		attr->path_mig_state = cmd->base.path_mig_state;
 	if (cmd->base.attr_mask & IB_QP_QKEY) {
 		if (cmd->base.qkey & IB_QP_SET_QKEY &&
-		    !rdma_nl_get_privileged_qkey()) {
+		    !rdma_nl_get_privileged_qkey(qp->device)) {
 			ret = -EPERM;
 			goto release_qp;
 		}
-- 
2.49.0

Re: [PATCH rdma-next 2/7] RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create

[Jason Gunthorpe]

On Tue, Jun 17, 2025 at 11:35:46AM +0300, Leon Romanovsky wrote:
> From: Parav Pandit <parav@nvidia.com>
> 
> Currently, the capability check is done in the default
> init_user_ns user namespace. When a process runs in a
> non default user namespace, such check fails. Due to this
> when a process is running using podman, it fails to create
> the QP.
> 
> Since the RDMA device is a resource within a network namespace,
> use the network namespace associated with the RDMA device to
> determine its owning user namespace.
> 
> Fixes: 2dee0e545894 ("IB/uverbs: Enable QP creation with a given source QP number")
> Fixes: 6d1e7ba241e9 ("IB/uverbs: Introduce create/destroy QP commands over ioctl")
> Signed-off-by: Parav Pandit <parav@nvidia.com>
> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> ---
>  drivers/infiniband/core/uverbs_cmd.c          | 11 +++++++----
>  drivers/infiniband/core/uverbs_std_types_qp.c |  2 +-
>  2 files changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
> index 08a738a2a1ff..84f9bbc781d3 100644
> --- a/drivers/infiniband/core/uverbs_cmd.c
> +++ b/drivers/infiniband/core/uverbs_cmd.c
> @@ -1312,9 +1312,6 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
>  
>  	switch (cmd->qp_type) {
>  	case IB_QPT_RAW_PACKET:
> -		if (!capable(CAP_NET_RAW))
> -			return -EPERM;
> -		break;

I don't think we should do these code movements, I'm not sure we won't
create a security problem by actually creating the object and then
immediately destroying it.

Add a rdma_uattrs_has_raw_cap() and call ib_uverbs_get_ucontext_file()
to get the ->ib_device

Jason

RE: [PATCH rdma-next 2/7] RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create

[Parav Pandit]

> From: Jason Gunthorpe <jgg@nvidia.com>
> Sent: 17 June 2025 23:23
> 
> On Tue, Jun 17, 2025 at 11:35:46AM +0300, Leon Romanovsky wrote:
> > From: Parav Pandit <parav@nvidia.com>
> >
> > Currently, the capability check is done in the default init_user_ns
> > user namespace. When a process runs in a non default user namespace,
> > such check fails. Due to this when a process is running using podman,
> > it fails to create the QP.
> >
> > Since the RDMA device is a resource within a network namespace, use
> > the network namespace associated with the RDMA device to determine its
> > owning user namespace.
> >
> > Fixes: 2dee0e545894 ("IB/uverbs: Enable QP creation with a given
> > source QP number")
> > Fixes: 6d1e7ba241e9 ("IB/uverbs: Introduce create/destroy QP commands
> > over ioctl")
> > Signed-off-by: Parav Pandit <parav@nvidia.com>
> > Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> > ---
> >  drivers/infiniband/core/uverbs_cmd.c          | 11 +++++++----
> >  drivers/infiniband/core/uverbs_std_types_qp.c |  2 +-
> >  2 files changed, 8 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/infiniband/core/uverbs_cmd.c
> > b/drivers/infiniband/core/uverbs_cmd.c
> > index 08a738a2a1ff..84f9bbc781d3 100644
> > --- a/drivers/infiniband/core/uverbs_cmd.c
> > +++ b/drivers/infiniband/core/uverbs_cmd.c
> > @@ -1312,9 +1312,6 @@ static int create_qp(struct uverbs_attr_bundle
> > *attrs,
> >
> >  	switch (cmd->qp_type) {
> >  	case IB_QPT_RAW_PACKET:
> > -		if (!capable(CAP_NET_RAW))
> > -			return -EPERM;
> > -		break;
> 
> I don't think we should do these code movements, I'm not sure we won't
> create a security problem by actually creating the object and then
> immediately destroying it.
> 
> Add a rdma_uattrs_has_raw_cap() and call ib_uverbs_get_ucontext_file() to
> get the ->ib_device
> 
Ok. Sending v1 with the suggested change.

> Jason