net: devmem: allow bind-rx from non-init user namespaces

NETDEV_CMD_BIND_RX is currently GENL_ADMIN_PERM, which checks
CAP_NET_ADMIN against init userns. With recent container/netkit/ns
support for devmem, other userns/netns use cases come online and require
bind-rx to allow CAP_NET_ADMIN in non-init user ns as well.

Switch the flag to GENL_UNS_ADMIN_PERM to allow bind-rx for
CAP_NET_ADMIN in the netns's owning userns as well.

Signed-off-by: Bobby Eshleman <bobbyeshleman@meta.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://patch.msgid.link/20260602-nl-prov-v2-1-ad721142c641@meta.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/Documentation/netlink/specs/netdev.yaml b/Documentation/netlink/specs/netdev.yaml
index a1f4c5a561e9d1f344e69b55517681dc76af05e5..49862b666d7dabed891d061d6848f2115aad8a5b 100644 (file)
--- a/Documentation/netlink/specs/netdev.yaml
+++ b/Documentation/netlink/specs/netdev.yaml
@@ -798,7 +798,7 @@ operations:
       name: bind-rx
       doc: Bind dmabuf to netdev
       attribute-set: dmabuf
-      flags: [admin-perm]
+      flags: [uns-admin-perm]
       do:
         request:
           attributes:

diff --git a/net/core/netdev-genl-gen.c b/net/core/netdev-genl-gen.c
index c7e138bfe34574559c0c1460573601b27b1dfcf1..d18c89b5a6c75929de922cd8a41795c5540897a8 100644 (file)
--- a/net/core/netdev-genl-gen.c
+++ b/net/core/netdev-genl-gen.c
@@ -220,7 +220,7 @@ static const struct genl_split_ops netdev_nl_ops[] = {
                .doit           = netdev_nl_bind_rx_doit,
                .policy         = netdev_bind_rx_nl_policy,
                .maxattr        = NETDEV_A_DMABUF_FD,
-               .flags          = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+               .flags          = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO,
        },
        {
                .cmd            = NETDEV_CMD_NAPI_SET,