Commit 509da346 authored Oct 15, 2025 by Johannes Wiesböck Committed by Greg Kroah-Hartman Oct 29, 2025

rtnetlink: Allow deleting FDB entries in user namespace



[ Upstream commit bf29555f ]

Creating FDB entries is possible from a non-initial user namespace when
having CAP_NET_ADMIN, yet, when deleting FDB entries, processes receive
an EPERM because the capability is always checked against the initial
user namespace. This restricts the FDB management from unprivileged
containers.

Drop the netlink_capable check in rtnl_fdb_del as it was originally
dropped in c5c35108 and reintroduced in 1690be63 without
intention.

This patch was tested using a container on GyroidOS, where it was
possible to delete FDB entries from an unprivileged user namespace and
private network namespace.

Fixes: 1690be63 ("bridge: Add vlan support to static neighbors")
Reviewed-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Tested-by: Harshal Gohel <hg@simonwunderlich.de>
Signed-off-by: Johannes Wiesböck <johannes.wiesboeck@aisec.fraunhofer.de>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20251015201548.319871-1-johannes.wiesboeck@aisec.fraunhofer.de


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 4b714092

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit 13a2c8a6
· Nov 05, 2025

mentioned in commit 13a2c8a6

mentioned in commit 13a2c8a68f387d5a4609f25f769f55312e8ae1a7

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 11e0d633
· Nov 05, 2025

mentioned in commit 11e0d633

mentioned in commit 11e0d6335992396e0202d340662c0b82b4d6f0ed

Toggle commit list

Please to comment