Commit bf29555f authored Oct 15, 2025 by Johannes Wiesböck Committed by Jakub Kicinski Oct 16, 2025

rtnetlink: Allow deleting FDB entries in user namespace



Creating FDB entries is possible from a non-initial user namespace when
having CAP_NET_ADMIN, yet, when deleting FDB entries, processes receive
an EPERM because the capability is always checked against the initial
user namespace. This restricts the FDB management from unprivileged
containers.

Drop the netlink_capable check in rtnl_fdb_del as it was originally
dropped in c5c35108 and reintroduced in 1690be63 without
intention.

This patch was tested using a container on GyroidOS, where it was
possible to delete FDB entries from an unprivileged user namespace and
private network namespace.

Fixes: 1690be63 ("bridge: Add vlan support to static neighbors")
Reviewed-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Tested-by: Harshal Gohel <hg@simonwunderlich.de>
Signed-off-by: Johannes Wiesböck <johannes.wiesboeck@aisec.fraunhofer.de>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20251015201548.319871-1-johannes.wiesboeck@aisec.fraunhofer.de


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 1b0124ad

net/core/rtnetlink.c

+0 −3

Original line number	Diff line number	Diff line
		@@ -4715,9 +4715,6 @@ static int rtnl_fdb_del(struct sk_buff skb, struct nlmsghdr nlh,
		int err;
		u16 vid;

		if (!netlink_capable(skb, CAP_NET_ADMIN))
		return -EPERM;

		if (!del_bulk) {
		err = nlmsg_parse_deprecated(nlh, sizeof(*ndm), tb, NDA_MAX,
		NULL, extack);