From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E71F9379998 for ; Fri, 12 Jun 2026 08:59:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781254796; cv=none; b=pGIJLnYKO95NKY/AWT9LcFVS7So9SYQY8M/5wA4o+50K/N5vx2UcJhLQ2L5kAAZdPgfTZVv37YW2dWUDP35ApHf8BZFU9JRQQs0VndNNyPwkuJX07sby4SQ5YwiXgTAtl1Z7WfvGGZ2KP0CHqNa80aqRvo5sWsWDPRgaqAOwfLI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781254796; c=relaxed/simple; bh=9KELg0fF52vLssDqyULifU6gVEgt2TGPTvM2ovfjH+I=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=AtXqcgqiyEfKu71laUHcnxSQPPZwXq3yuXvs13NYMyYZQcwe27U/GCuYSkaolX1m1mfTS6Wl52P5H1B6mGSJTI7QgWLGe7oV1NBDUh03VrDwuQtIzVoWxHaql7hQJdfqsiCKfmyuNubR4aKJm9tkWMVQK1RH2llLQyBLhyk0neM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cwrQt5Cy; arc=none smtp.client-ip=209.85.210.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cwrQt5Cy" Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-84275887a3fso1291757b3a.1 for ; Fri, 12 Jun 2026 01:59:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781254794; x=1781859594; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9kTdniclDK6QIUDXwqEIxG+i53yHxIwhyl42LN144xs=; b=cwrQt5Cy48rJw6j8NEME6vSlVcJkPUcy7s+siaCuqjQkkEWZjhqboaOgN6W/r9t2Pl 5xGQPwVxN9zwx8whdTJHHnzxqM5qe7MW/lFAZ0UJK0hXkxovaheirgUf5hWGSV4PI/0G Ojx1/jqByRt0sJPAwrlUtEZOUYcH8I815lQnTJUhvmmddOTSS6o5/KlyDHZ0TOKwqeJS yTD//4Gdp4TqvsTtQlku8hMU/RH8cnam35uXQDPQjIz065vB0j9NgHuT20O+TzbPu4ge i9uk39ycsnJX3t5lqQbs1RIkG2npVhMEXtdRHuEMHjSH9Jf3Gk3H9xyxBjWXXIfrxgvq fibw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781254794; x=1781859594; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=9kTdniclDK6QIUDXwqEIxG+i53yHxIwhyl42LN144xs=; b=mQuH7h2VyxqY61L/9ZJjQKfccflh3aoFksNfwwWHCISbLdf7w4YZQHJEUroryhbrEM /meQkw0aHKIiCy5Qqa2bkBwcRqsbDcWbqsZ809NEwLdHRjSy31lUXgnMwx787YElX6ng W27d39C4hjY881KAByRaL2cD2zKBvvqbEnRA7Kg0hh+Y2HmZtmaHe5+Bn2yzsbUwQlO9 nOb2VtsG5zv44cYD1BvvjLdg0HFEwzXUnmXfc+1WaOJDSKLBirdT/Y9pm6E1TViPD692 H4SaAb8oVaA1hXmVzEMqwr+UuupE2y7xK+OowyCx9Q1OL31tpBtS5ZcwDcvKmYm5DkDP 5v7g== X-Forwarded-Encrypted: i=1; AFNElJ+C0ZnizgpX2VoxP5rOEH1ZKve7u8G5RDRlItQqzfi1RRuaIBpJf7CAqOvBO0R09zBKoLUrTzE=@vger.kernel.org X-Gm-Message-State: AOJu0YwnerkbBvSmjwqHKdhaaQe/wJGFWSGYftMB07OT0HtXpyY5eFSb MhlWlBMhBSJzcckJQvGf7rl2pDTD+tyOm6eylLE1oHoLrKDvKNSvxyVi X-Gm-Gg: Acq92OHyAUlfsKmM5J7fjZN9z2UMjxuB95DYA3Qw0HdiPPM/4Fl5pNUjcnevTzHjvFW vC1sePh7CCUjTEMkzGYzqJnm97NJncF3l39bRs5RIgbZwqQ1ivMCzGi1m5BjjH04I3mtOTynN1h NzRwwD8xu19AbL7nOQmM2a3VWit3b0cXda6QkhBinjeUhIg1X9aDJ0gtsHzR7Luc+IEZIAWnUmG XRCkhfJIh4WNOOARYDXrnSXvguFV0Gf7SYwq+5vpojYGScePswegS+r5qHA+kJrjv4axPNLtqBp dCkr8wiCit2cSMrrjPUQDnZkw61Ezj8Ns3Be1+aIql19DuILr32rGo0jH2hZ5es/hylAfD+ann/ +dygtK/cJe3OxQWRVVl5Y1Wzq5eXWiQ87SC1s8HIOQcelXU+U8Ie1r6o4kaQWM27DTKaQN58O3P x6BlXq9LOO/ISVw2mYaKXXQGw4XqvG56/FsXTOEy0o/p7nXkMI X-Received: by 2002:a05:6a00:14cf:b0:838:5145:c1c5 with SMTP id d2e1a72fcca58-8434974f482mr2183604b3a.21.1781254794144; Fri, 12 Jun 2026 01:59:54 -0700 (PDT) Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-8434a934a97sm1646892b3a.0.2026.06.12.01.59.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 01:59:53 -0700 (PDT) From: Maoyi Xie To: "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: David Ahern , Steffen Klassert , Herbert Xu , Simon Horman , Kuniyuki Iwashima , Xiao Liang , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Maoyi Xie Subject: [PATCH net v6 2/7] net: ipip: require CAP_NET_ADMIN in the device netns for changelink Date: Fri, 12 Jun 2026 16:59:36 +0800 Message-Id: <20260612085941.3158249-3-maoyixie.tju@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260612085941.3158249-1-maoyixie.tju@gmail.com> References: <20260612085941.3158249-1-maoyixie.tju@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit ipip_changelink() operates on at most two netns, dev_net(dev) and the tunnel link netns t->net. They differ once the device is created in or moved to a netns other than the one the request runs in. The rtnl changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a caller privileged there but not in t->net can rewrite a tunnel that lives in t->net. Gate ipip_changelink() on rtnl_dev_link_net_capable() at its top, before any attribute is parsed. Reported-by: Xiao Liang Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/ Fixes: 6c742e714d8c ("ipip: add x-netns support") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie Reviewed-by: Kuniyuki Iwashima --- net/ipv4/ipip.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c index ff95b1b9908e..e7378569bd5b 100644 --- a/net/ipv4/ipip.c +++ b/net/ipv4/ipip.c @@ -494,6 +494,9 @@ static int ipip_changelink(struct net_device *dev, struct nlattr *tb[], bool collect_md; __u32 fwmark = t->fwmark; + if (!rtnl_dev_link_net_capable(dev, t->net)) + return -EPERM; + if (ip_tunnel_netlink_encap_parms(data, &ipencap)) { int err = ip_tunnel_encap_setup(t, &ipencap); -- 2.34.1