diff options
| author | Bobby Eshleman <bobbyeshleman@meta.com> | 2026-06-03 04:37:31 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-06-06 04:10:31 +0300 |
| commit | e302aa3d00fb1bcbc1137a42615b1c54ca51d785 (patch) | |
| tree | 3b0a249ffe2721b5c58a132c861dd6c9bf2ed51d | |
| parent | 9410fb4da2d42a75c0fdbc04c4e74f3a2c42793f (diff) | |
| download | linux-e302aa3d00fb1bcbc1137a42615b1c54ca51d785.tar.xz | |
net: devmem: allow bind-rx from non-init user namespaces
NETDEV_CMD_BIND_RX is currently GENL_ADMIN_PERM, which checks
CAP_NET_ADMIN against init userns. With recent container/netkit/ns
support for devmem, other userns/netns use cases come online and require
bind-rx to allow CAP_NET_ADMIN in non-init user ns as well.
Switch the flag to GENL_UNS_ADMIN_PERM to allow bind-rx for
CAP_NET_ADMIN in the netns's owning userns as well.
Signed-off-by: Bobby Eshleman <bobbyeshleman@meta.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://patch.msgid.link/20260602-nl-prov-v2-1-ad721142c641@meta.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
| -rw-r--r-- | Documentation/netlink/specs/netdev.yaml | 2 | ||||
| -rw-r--r-- | net/core/netdev-genl-gen.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/Documentation/netlink/specs/netdev.yaml b/Documentation/netlink/specs/netdev.yaml index a1f4c5a561e9..49862b666d7d 100644 --- a/Documentation/netlink/specs/netdev.yaml +++ b/Documentation/netlink/specs/netdev.yaml @@ -798,7 +798,7 @@ operations: name: bind-rx doc: Bind dmabuf to netdev attribute-set: dmabuf - flags: [admin-perm] + flags: [uns-admin-perm] do: request: attributes: diff --git a/net/core/netdev-genl-gen.c b/net/core/netdev-genl-gen.c index c7e138bfe345..d18c89b5a6c7 100644 --- a/net/core/netdev-genl-gen.c +++ b/net/core/netdev-genl-gen.c @@ -220,7 +220,7 @@ static const struct genl_split_ops netdev_nl_ops[] = { .doit = netdev_nl_bind_rx_doit, .policy = netdev_bind_rx_nl_policy, .maxattr = NETDEV_A_DMABUF_FD, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = NETDEV_CMD_NAPI_SET, |