git.ipfire.org Git - thirdparty/linux.git/commit

author	Maoyi Xie <maoyi.xie@ntu.edu.sg>
	Wed, 6 May 2026 06:48:53 +0000 (14:48 +0800)
committer	Johannes Berg <johannes.berg@intel.com>
	Wed, 6 May 2026 09:05:52 +0000 (11:05 +0200)
commit	15994bb0cbb8fc4879da7552ddd08c1896261c39
tree	53d7783826dccdbe9f890066d9658928f037b93b	tree \| snapshot
parent	0f3c0a197309717d74729568f88957d448847937	commit \| diff

wifi: nl80211: require CAP_NET_ADMIN over the target netns in SET_WIPHY_NETNS

NL80211_CMD_SET_WIPHY_NETNS dispatches with GENL_UNS_ADMIN_PERM, which
verifies that the caller has CAP_NET_ADMIN for the source netns. It
doesn't verify that the caller has CAP_NET_ADMIN over the target netns
selected by NL80211_ATTR_NETNS_FD or NL80211_ATTR_PID.

This diverges from the convention enforced in
net/core/rtnetlink.c::rtnl_get_net_ns_capable():

    /* For now, the caller is required to have CAP_NET_ADMIN in
     * the user namespace owning the target net ns.
     */
    if (!sk_ns_capable(sk, net->user_ns, CAP_NET_ADMIN))
        return ERR_PTR(-EACCES);

A user with CAP_NET_ADMIN in their own user namespace can therefore
push a wiphy into an arbitrary netns (including init_net) over which
they have no privilege.

Mirror the rtnetlink convention by requiring CAP_NET_ADMIN in the
target netns before calling cfg80211_switch_netns().

Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Link: https://patch.msgid.link/20260506064854.2207105-2-maoyixie.tju@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>