[PATCH] rtnetlink: add missing netlink_ns_capable() check for peer netns

[PATCH] rtnetlink: add missing netlink_ns_capable() check for peer netns

[Nikolaos Gkarlis]

rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer
network namespace when creating paired devices (veth, vxcan,
netkit). This allows an unprivileged user with a user namespace
to create interfaces in arbitrary network namespaces, including
init_net.

Add a netlink_ns_capable() check for CAP_NET_ADMIN in the peer
namespace before allowing device creation to proceed.

Fixes: 48327566769a ("rtnetlink: fix double call of rtnl_link_get_net_ifla()")
Reported-by: Nikolaos Gkarlis <nickgarlis@gmail.com>
Signed-off-by: Nikolaos Gkarlis <nickgarlis@gmail.com>
---
 net/core/rtnetlink.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 576d5ec3bb36..f3a7d6dbd713 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -4030,8 +4030,15 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
 				ret = PTR_ERR(peer_net);
 				goto put_ops;
 			}
-			if (peer_net)
+			if (peer_net) {
+				if (!netlink_ns_capable(skb, peer_net->user_ns,
+							CAP_NET_ADMIN)) {
+					put_net(peer_net);
+					ret = -EPERM;
+					goto put_ops;
+				}
 				rtnl_nets_add(&rtnl_nets, peer_net);
+			}
 		}
 	}
 
-- 
2.34.1

Re: [PATCH] rtnetlink: add missing netlink_ns_capable() check for peer netns

[Jakub Kicinski]

On Tue, 24 Mar 2026 09:07:30 +0100 Nikolaos Gkarlis wrote:
> rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer
> network namespace when creating paired devices (veth, vxcan,
> netkit). This allows an unprivileged user with a user namespace
> to create interfaces in arbitrary network namespaces, including
> init_net.
> 
> Add a netlink_ns_capable() check for CAP_NET_ADMIN in the peer
> namespace before allowing device creation to proceed.
> 
> Fixes: 48327566769a ("rtnetlink: fix double call of rtnl_link_get_net_ifla()")

AI assistant here suggests this is not the valid Fixes tag,
which seems true on the surface. This commit was fixing
cleanup, IDK how it could break input validation?

> Reported-by: Nikolaos Gkarlis <nickgarlis@gmail.com>

Reported-by tags are only when the reporter is different than author
the Google's bounty program rules have been amended to make this
explicit, please let us know if other programs still mislead people

> Signed-off-by: Nikolaos Gkarlis <nickgarlis@gmail.com>
-- 
pw-bot: cr

Re: [PATCH] rtnetlink: add missing netlink_ns_capable() check for peer netns

[Nikolaos Gkarlis]

Hi Jakub,

I've created a crude reproduction script using some AI. If that helps,
you can find it here:
https://gist.githubusercontent.com/nickgarlis/5a5815d438aa19b409806712f35f2cb1/raw/c7e2dd0902f1f53f5750f7bbd3ba39ff0b21e43e/inject_iface.c

> AI assistant here suggests this is not the valid Fixes tag,
> which seems true on the surface. This commit was fixing
> cleanup, IDK how it could break input validation?

I went back to check and ran the test against 7a0ea70da56e (the commit
prior) and it does seem like it was broken then too. I think I must have
messed up my testing process when I initially submitted the patch.

It also seems like the bug was always there or at least - almost always
- since Iassume it wasn't a problem before unprivileged namespaces
were introduced ?

In that case, should the tags point to the introduction of the
attributes (like shown below) or point to the introduction of
the namespaces ?

Fixes: 0eb87b02a705 ("veth: Set VETH_INFO_PEER to veth_link_ops.peer_type.")
Fixes: 6b84e558e95d ("vxcan: Set VXCAN_INFO_PEER to vxcan_link_ops.peer_type.")
Fixes: fefd5d082172 ("netkit: Set IFLA_NETKIT_PEER_INFO to
netkit_link_ops.peer_type.")

> Reported-by tags are only when the reporter is different than author
> the Google's bounty program rules have been amended to make this
> explicit, please let us know if other programs still mislead people

That was a mistake on my part, not going through the docs properly.
I'll fix all of the tags in a V2 if you want to accept the patch.

Re: [PATCH] rtnetlink: add missing netlink_ns_capable() check for peer netns

[Kuniyuki Iwashima]

From: Nikolaos Gkarlis <nickgarlis@gmail.com>
Date: Fri, 27 Mar 2026 09:55:31 +0100
> Hi Jakub,
> 
> I've created a crude reproduction script using some AI. If that helps,
> you can find it here:
> https://gist.githubusercontent.com/nickgarlis/5a5815d438aa19b409806712f35f2cb1/raw/c7e2dd0902f1f53f5750f7bbd3ba39ff0b21e43e/inject_iface.c
> 
> > AI assistant here suggests this is not the valid Fixes tag,
> > which seems true on the surface. This commit was fixing
> > cleanup, IDK how it could break input validation?
> 
> I went back to check and ran the test against 7a0ea70da56e (the commit
> prior) and it does seem like it was broken then too. I think I must have
> messed up my testing process when I initially submitted the patch.
> 
> It also seems like the bug was always there or at least - almost always
> - since Iassume it wasn't a problem before unprivileged namespaces
> were introduced ?
> 
> In that case, should the tags point to the introduction of the
> attributes (like shown below) or point to the introduction of
> the namespaces ?
> 
> Fixes: 0eb87b02a705 ("veth: Set VETH_INFO_PEER to veth_link_ops.peer_type.")
> Fixes: 6b84e558e95d ("vxcan: Set VXCAN_INFO_PEER to vxcan_link_ops.peer_type.")
> Fixes: fefd5d082172 ("netkit: Set IFLA_NETKIT_PEER_INFO to
> netkit_link_ops.peer_type.")

No, these commits just factorised the common part.

veth does not have the userns check from

commit 81adee47dfb608df3ad0b91d230fb3cef75f0060
Author: Eric W. Biederman <ebiederm@aristanetworks.com>
Date:   Sun Nov 8 08:53:51 2009

    net: Support specifying the network namespace upon device creation.


and vxcan and netkit does not have the check from Day 0.