[PATCH net 0/2] vsock: fix child netns mode initialization and restriction

[PATCH net 0/2] vsock: fix child netns mode initialization and restriction

[Stefano Garzarella]

This series fixes two issues in the vsock network namespace support
recently introduced by commit eafb64f40ca4 ("vsock: add netns to vsock
core").

Patch 1 fixes `child_ns_mode` being always hardcoded to "global" for new
namespaces, breaking propagation of the "local" mode through nested
namespaces.

Patch 2 prevents a "local" namespace from switching `child_ns_mode` to
"global", which would allow nested namespaces to escape vsock isolation
and access global CIDs.

Stefano Garzarella (2):
  vsock: fix child netns mode initialization
  vsock: prevent child netns mode switch from local to global

 net/vmw_vsock/af_vsock.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

-- 
2.53.0

[PATCH net 1/2] vsock: fix child netns mode initialization

[Stefano Garzarella]

From: Stefano Garzarella <sgarzare@redhat.com>

When a new network namespace is created, vsock_net_init() correctly
initializes the namespace's mode by reading the parent's `child_ns_mode`
via vsock_net_child_mode(). However, the `child_ns_mode` of the new
namespace was always hardcoded to VSOCK_NET_MODE_GLOBAL, regardless of
its own mode.

This means that if a parent namespace has `child_ns_mode` set to "local",
the child namespace correctly gets mode "local", but its `child_ns_mode`
is reset to "global". As a result, further nested namespaces will
incorrectly get mode "global" instead of inheriting "local", breaking
the expected propagation of the mode through nested namespaces.

Fix this by initializing `child_ns_mode` to the namespace's own mode,
so the setting propagates correctly through all levels of nesting.

Fixes: eafb64f40ca4 ("vsock: add netns to vsock core")
Cc: bobbyeshleman@meta.com
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
---
 net/vmw_vsock/af_vsock.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 20ad2b2dc17b..3b629b4a0359 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -91,7 +91,8 @@
  *   - /proc/sys/net/vsock/ns_mode (read-only) reports the current namespace's
  *     mode, which is set at namespace creation and immutable thereafter.
  *   - /proc/sys/net/vsock/child_ns_mode (writable) controls what mode future
- *     child namespaces will inherit when created. The default is "global".
+ *     child namespaces will inherit when created. The initial value matches
+ *     the namespace's own ns_mode.
  *
  *   Changing child_ns_mode only affects newly created namespaces, not the
  *   current namespace or existing children. At namespace creation, ns_mode
@@ -2912,7 +2913,7 @@ static void vsock_net_init(struct net *net)
 	else
 		net->vsock.mode = vsock_net_child_mode(current->nsproxy->net_ns);
 
-	net->vsock.child_ns_mode = VSOCK_NET_MODE_GLOBAL;
+	net->vsock.child_ns_mode = net->vsock.mode;
 }
 
 static __net_init int vsock_sysctl_init_net(struct net *net)
-- 
2.53.0

[PATCH net 2/2] vsock: prevent child netns mode switch from local to global

[Stefano Garzarella]

From: Stefano Garzarella <sgarzare@redhat.com>

A "local" namespace can change its `child_ns_mode` sysctl to "global",
allowing nested namespaces to access global CIDs. This can be exploited
by an unprivileged user who gained CAP_NET_ADMIN through a user
namespace.

Prevent this by rejecting writes that attempt to set `child_ns_mode` to
"global" when the current namespace's mode is "local".

Fixes: eafb64f40ca4 ("vsock: add netns to vsock core")
Cc: bobbyeshleman@meta.com
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
---
 net/vmw_vsock/af_vsock.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 3b629b4a0359..9880756d9eff 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -95,8 +95,9 @@
  *     the namespace's own ns_mode.
  *
  *   Changing child_ns_mode only affects newly created namespaces, not the
- *   current namespace or existing children. At namespace creation, ns_mode
- *   is inherited from the parent's child_ns_mode.
+ *   current namespace or existing children. A "local" namespace cannot set
+ *   child_ns_mode to "global". At namespace creation, ns_mode is inherited
+ *   from the parent's child_ns_mode.
  *
  *   The init_net mode is "global" and cannot be modified.
  *
@@ -2844,8 +2845,16 @@ static int vsock_net_child_mode_string(const struct ctl_table *table, int write,
 	if (ret)
 		return ret;
 
-	if (write)
+	if (write) {
+		/* Prevent a "local" namespace from escalating to "global",
+		 * which would give nested namespaces access to global CIDs.
+		 */
+		if (vsock_net_mode(net) == VSOCK_NET_MODE_LOCAL &&
+		    new_mode == VSOCK_NET_MODE_GLOBAL)
+			return -EPERM;
+
 		vsock_net_set_child_mode(net, new_mode);
+	}
 
 	return 0;
 }
-- 
2.53.0

Re: [PATCH net 1/2] vsock: fix child netns mode initialization

[Bobby Eshleman]

On Thu, Feb 12, 2026 at 09:59:15PM +0100, Stefano Garzarella wrote:
> From: Stefano Garzarella <sgarzare@redhat.com>
> 
> When a new network namespace is created, vsock_net_init() correctly
> initializes the namespace's mode by reading the parent's `child_ns_mode`
> via vsock_net_child_mode(). However, the `child_ns_mode` of the new
> namespace was always hardcoded to VSOCK_NET_MODE_GLOBAL, regardless of
> its own mode.
> 
> This means that if a parent namespace has `child_ns_mode` set to "local",
> the child namespace correctly gets mode "local", but its `child_ns_mode`
> is reset to "global". As a result, further nested namespaces will
> incorrectly get mode "global" instead of inheriting "local", breaking
> the expected propagation of the mode through nested namespaces.
> 
> Fix this by initializing `child_ns_mode` to the namespace's own mode,
> so the setting propagates correctly through all levels of nesting.
> 
> Fixes: eafb64f40ca4 ("vsock: add netns to vsock core")
> Cc: bobbyeshleman@meta.com
> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
> ---
>  net/vmw_vsock/af_vsock.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
> index 20ad2b2dc17b..3b629b4a0359 100644
> --- a/net/vmw_vsock/af_vsock.c
> +++ b/net/vmw_vsock/af_vsock.c
> @@ -91,7 +91,8 @@
>   *   - /proc/sys/net/vsock/ns_mode (read-only) reports the current namespace's
>   *     mode, which is set at namespace creation and immutable thereafter.
>   *   - /proc/sys/net/vsock/child_ns_mode (writable) controls what mode future
> - *     child namespaces will inherit when created. The default is "global".
> + *     child namespaces will inherit when created. The initial value matches
> + *     the namespace's own ns_mode.
>   *
>   *   Changing child_ns_mode only affects newly created namespaces, not the
>   *   current namespace or existing children. At namespace creation, ns_mode
> @@ -2912,7 +2913,7 @@ static void vsock_net_init(struct net *net)
>  	else
>  		net->vsock.mode = vsock_net_child_mode(current->nsproxy->net_ns);
>  
> -	net->vsock.child_ns_mode = VSOCK_NET_MODE_GLOBAL;
> +	net->vsock.child_ns_mode = net->vsock.mode;
>  }
>  
>  static __net_init int vsock_sysctl_init_net(struct net *net)
> -- 
> 2.53.0
> 

LGTM.

Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>

Re: [PATCH net 2/2] vsock: prevent child netns mode switch from local to global

[Bobby Eshleman]

On Thu, Feb 12, 2026 at 09:59:16PM +0100, Stefano Garzarella wrote:
> From: Stefano Garzarella <sgarzare@redhat.com>
> 
> A "local" namespace can change its `child_ns_mode` sysctl to "global",
> allowing nested namespaces to access global CIDs. This can be exploited
> by an unprivileged user who gained CAP_NET_ADMIN through a user
> namespace.
> 
> Prevent this by rejecting writes that attempt to set `child_ns_mode` to
> "global" when the current namespace's mode is "local".
> 
> Fixes: eafb64f40ca4 ("vsock: add netns to vsock core")
> Cc: bobbyeshleman@meta.com
> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
> ---
>  net/vmw_vsock/af_vsock.c | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
> index 3b629b4a0359..9880756d9eff 100644
> --- a/net/vmw_vsock/af_vsock.c
> +++ b/net/vmw_vsock/af_vsock.c
> @@ -95,8 +95,9 @@
>   *     the namespace's own ns_mode.
>   *
>   *   Changing child_ns_mode only affects newly created namespaces, not the
> - *   current namespace or existing children. At namespace creation, ns_mode
> - *   is inherited from the parent's child_ns_mode.
> + *   current namespace or existing children. A "local" namespace cannot set
> + *   child_ns_mode to "global". At namespace creation, ns_mode is inherited
> + *   from the parent's child_ns_mode.
>   *
>   *   The init_net mode is "global" and cannot be modified.
>   *
> @@ -2844,8 +2845,16 @@ static int vsock_net_child_mode_string(const struct ctl_table *table, int write,
>  	if (ret)
>  		return ret;
>  
> -	if (write)
> +	if (write) {
> +		/* Prevent a "local" namespace from escalating to "global",
> +		 * which would give nested namespaces access to global CIDs.
> +		 */
> +		if (vsock_net_mode(net) == VSOCK_NET_MODE_LOCAL &&
> +		    new_mode == VSOCK_NET_MODE_GLOBAL)
> +			return -EPERM;
> +
>  		vsock_net_set_child_mode(net, new_mode);
> +	}
>  
>  	return 0;
>  }
> -- 
> 2.53.0
> 

Thanks for the fix!

Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>

Re: [PATCH net 0/2] vsock: fix child netns mode initialization and restriction

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu, 12 Feb 2026 21:59:14 +0100 you wrote:
> This series fixes two issues in the vsock network namespace support
> recently introduced by commit eafb64f40ca4 ("vsock: add netns to vsock
> core").
> 
> Patch 1 fixes `child_ns_mode` being always hardcoded to "global" for new
> namespaces, breaking propagation of the "local" mode through nested
> namespaces.
> 
> [...]

Here is the summary with links:
  - [net,1/2] vsock: fix child netns mode initialization
    https://git.kernel.org/netdev/net/c/9dd391493a72
  - [net,2/2] vsock: prevent child netns mode switch from local to global
    https://git.kernel.org/netdev/net/c/6a997f38bdf8

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html