From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66E233F929B
	for <stable@vger.kernel.org>; Fri, 29 May 2026 16:51:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780073494; cv=none; b=Vrro60/2aEd2gVQVMeAx5E+WgbaICvrc4aFNjEXUyhqVf4fq8EVz+OHiK9ecbdcxQ7f7DITYGhx2T+TrviG17X5NmNWYTHf+M3rqH4EOexUFona84rGuR6IgFIYpJsLF6EO6kX6ocW3ddV8jVgsAUXSnQJ6B6XkFacK0Kp41qfI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780073494; c=relaxed/simple;
	bh=GiPyT9f2NMmxbvAhqSpovWWi2uHYD+HH6LcBF4D2WFc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=Xe53HCPIa6HIkMgE7JkBr8KuieaQmJZN/BxFqiSsjp43YTwRogfKYWnp5kAvw/E1+Hd6b4ORH9K8pVpieveVZMbNaztjyD736exkQTUMyebw79AEyoWrECXucQLcfeR6h98ldsDtUdpeOm6q6A+yD/5ewBySZMJwwETFtMckaZk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=MD2toEbL; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="MD2toEbL"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9275F1F0089B;
	Fri, 29 May 2026 16:51:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780073490;
	bh=OTPSHFPhMgSqE7vcfKdXmi9O0JsjkByREZBd+1A9fUM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=MD2toEbLsfTSEsnPd07R3RLQy6igqhKWwxNPPe+nv6XlbXKjyK1LlX7nMEbOvxqBQ
	 v7uZcezK1+zog/NHeB6iyBEc9ykXDKEXmFfLmxVd3lVtKOXbVB806hv8Xr/Yjk49Tq
	 96ahyIZfwqZkMKiTN9HzRRPAcYkW8BABCNs2xc5wwpBoEFs/tH6bvvFcTVAtImdpUz
	 OK3KlSR6+kZFfGSK4IIYjpXAtX9BhRQIXRBW1w8pAx4wVuLypk0oDW1Crern/PVesr
	 ikNjJa7pkJ/rglrwo1HQ4L6kj0vqCyB6xvLAZc1+rxu0xjjcNKAWqdFXa2hyG7AKPe
	 v71SVxMZuhkeg==
From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: Michael Bommarito <michael.bommarito@gmail.com>,
	Steve French <stfrench@microsoft.com>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.6.y 2/2] smb: client: require net admin for CIFS SWN netlink
Date: Fri, 29 May 2026 12:51:27 -0400
Message-ID: <20260529165127.1228435-2-sashal@kernel.org>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260529165127.1228435-1-sashal@kernel.org>
References: <2026052829-prewashed-duct-fb51@gregkh>
 <20260529165127.1228435-1-sashal@kernel.org>
Precedence: bulk
X-Mailing-List: stable@vger.kernel.org
List-Id: <stable.vger.kernel.org>
List-Subscribe: <mailto:stable+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:stable+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Michael Bommarito <michael.bommarito@gmail.com>

[ Upstream commit d1ebfce2c1d161186a82e77590bf7da2ea1bce91 ]

CIFS_GENL_CMD_SWN_NOTIFY is the userspace witness-notify command.  The
intended sender is the cifs.witness helper, but the generic-netlink
operation currently has no capability flag, so any local process can send
RESOURCE_CHANGE or CLIENT_MOVE notifications to the in-kernel witness
handler.

The same family exposes CIFS_GENL_MCGRP_SWN without multicast-group
capability flags.  Register messages sent to that group include the witness
registration id and, for NTLM-authenticated mounts, the username, domain,
and password attributes copied from the CIFS session.  An unprivileged
local process should not be able to join that group and receive those
messages.

Require CAP_NET_ADMIN for incoming SWN_NOTIFY commands with
GENL_ADMIN_PERM, and require CAP_NET_ADMIN over the network namespace for
joining the SWN multicast group with GENL_MCAST_CAP_NET_ADMIN.  The
cifs.witness service runs with the privileges needed for both operations.

Fixes: fed979a7e082 ("cifs: Set witness notification handler for messages from userspace daemon")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/smb/client/netlink.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/smb/client/netlink.c b/fs/smb/client/netlink.c
index 147d9409252cd..0dd10913c37a0 100644
--- a/fs/smb/client/netlink.c
+++ b/fs/smb/client/netlink.c
@@ -33,13 +33,17 @@ static const struct nla_policy cifs_genl_policy[CIFS_GENL_ATTR_MAX + 1] = {
 static const struct genl_ops cifs_genl_ops[] = {
 	{
 		.cmd = CIFS_GENL_CMD_SWN_NOTIFY,
+		.flags = GENL_ADMIN_PERM,
 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
 		.doit = cifs_swn_notify,
 	},
 };
 
 static const struct genl_multicast_group cifs_genl_mcgrps[] = {
-	[CIFS_GENL_MCGRP_SWN] = { .name = CIFS_GENL_MCGRP_SWN_NAME },
+	[CIFS_GENL_MCGRP_SWN] = {
+		.name = CIFS_GENL_MCGRP_SWN_NAME,
+		.flags = GENL_MCAST_CAP_NET_ADMIN,
+	},
 };
 
 struct genl_family cifs_genl_family = {
-- 
2.53.0