rtnetlink: Allow deleting FDB entries in user namespace
Creating FDB entries is possible from a non-initial user namespace when having CAP_NET_ADMIN, yet, when deleting FDB entries, processes receive an EPERM because the capability is always checked against the initial user namespace. This restricts the FDB management from unprivileged containers. Drop the netlink_capable check in rtnl_fdb_del as it was originally dropped in c5c35108 and reintroduced in 1690be63 without intention. This patch was tested using a container on GyroidOS, where it was possible to delete FDB entries from an unprivileged user namespace and private network namespace. Fixes: 1690be63 ("bridge: Add vlan support to static neighbors") Reviewed-by:Michael Weiß <michael.weiss@aisec.fraunhofer.de> Tested-by:
Harshal Gohel <hg@simonwunderlich.de> Signed-off-by:
Johannes Wiesböck <johannes.wiesboeck@aisec.fraunhofer.de> Reviewed-by:
Ido Schimmel <idosch@nvidia.com> Reviewed-by:
Nikolay Aleksandrov <razor@blackwall.org> Link: https://patch.msgid.link/20251015201548.319871-1-johannes.wiesboeck@aisec.fraunhofer.de Signed-off-by:
Jakub Kicinski <kuba@kernel.org>
Loading
-
mentioned in commit 6dea96a8
-
mentioned in commit b3eed4bf
-
mentioned in commit c49d3180
-
mentioned in commit 13a2c8a6
-
mentioned in commit 509da346
-
mentioned in commit 85c15422
-
mentioned in commit 2b0d1dc3
-
mentioned in commit 4b714092
-
mentioned in commit a8b1eeb9
-
mentioned in commit 7111cc95
-
mentioned in commit 11e0d633
-
mentioned in commit c8879afa
-
mentioned in commit 72de3270
-
mentioned in commit 1550f367
-
mentioned in commit a6ebcafc
-
mentioned in commit 932bd645
-
mentioned in commit 988d372d
-
mentioned in commit e4e6ce59
-
mentioned in commit 9d9f7d71
-
mentioned in commit fc69b005
-
mentioned in commit a36130f7
-
mentioned in commit 7cd416cc
-
mentioned in commit 31017cda
-
mentioned in commit e7a8c576
-
mentioned in commit bde6afe8
-
mentioned in commit 40ffa6a8
-
mentioned in commit e56d61b4
Please sign in to comment