Commit 6a997f38 authored by Stefano Garzarella's avatar Stefano Garzarella Committed by Jakub Kicinski
Browse files

vsock: prevent child netns mode switch from local to global 



A "local" namespace can change its `child_ns_mode` sysctl to "global",
allowing nested namespaces to access global CIDs. This can be exploited
by an unprivileged user who gained CAP_NET_ADMIN through a user
namespace.

Prevent this by rejecting writes that attempt to set `child_ns_mode` to
"global" when the current namespace's mode is "local".

Fixes: eafb64f4 ("vsock: add netns to vsock core")
Cc: bobbyeshleman@meta.com
Signed-off-by: default avatarStefano Garzarella <sgarzare@redhat.com>
Reviewed-by: default avatarBobby Eshleman <bobbyeshleman@meta.com>
Link: https://patch.msgid.link/20260212205916.97533-3-sgarzare@redhat.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 9dd39149

net/vmw_vsock/af_vsock.c

+12 −3
Original line number Diff line number Diff line
@@ -95,8 +95,9 @@ 
 *     the namespace's own ns_mode.

 *

 *   Changing child_ns_mode only affects newly created namespaces, not the

 *   current namespace or existing children. At namespace creation, ns_mode

 *   is inherited from the parent's child_ns_mode.

 *   current namespace or existing children. A "local" namespace cannot set

 *   child_ns_mode to "global". At namespace creation, ns_mode is inherited

 *   from the parent's child_ns_mode.

 *

 *   The init_net mode is "global" and cannot be modified.

 *
@@ -2844,8 +2845,16 @@ static int vsock_net_child_mode_string(const struct ctl_table *table, int write, 
	if (ret)

		return ret;



	if (write)

	if (write) {

		/* Prevent a "local" namespace from escalating to "global",

		 * which would give nested namespaces access to global CIDs.

		 */

		if (vsock_net_mode(net) == VSOCK_NET_MODE_LOCAL &&

		    new_mode == VSOCK_NET_MODE_GLOBAL)

			return -EPERM;



		vsock_net_set_child_mode(net, new_mode);

	}



	return 0;

}