diff mbox series

[Openvpn-devel,ovpn,net-next] ovpn: netlink - check CAP_NET_ADMIN in source namespace only

Message ID 20260514232343.805411-1-a@unstable.cc
State New
Headers show
Series [Openvpn-devel,ovpn,net-next] ovpn: netlink - check CAP_NET_ADMIN in source namespace only | expand

Commit Message

Antonio Quartulli May 14, 2026, 11:23 p.m. UTC 
From: Antonio Quartulli <antonio@openvpn.net>

Netlink API calls can be allowed as long as the user has
CAP_NET_ADMIN in the source namespace.

There is no need to enforce broader capabilities.

Therefore switch to GENL_UNS_ADMIN_PERM for all netlink ops.

Closes: https://github.com/OpenVPN/ovpn-net-next/issues/33
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
---
 Documentation/netlink/specs/ovpn.yaml | 16 ++++++++--------
 drivers/net/ovpn/netlink-gen.c        | 18 +++++++++---------
 2 files changed, 17 insertions(+), 17 deletions(-)
diff mbox series

Patch

diff --git a/Documentation/netlink/specs/ovpn.yaml b/Documentation/netlink/specs/ovpn.yaml
index b0c782e59a32..5d1f71b2ff78 100644
--- a/Documentation/netlink/specs/ovpn.yaml
+++ b/Documentation/netlink/specs/ovpn.yaml
@@ -397,7 +397,7 @@  operations:
     -
       name: peer-new
       attribute-set: ovpn-peer-new-input
-      flags: [admin-perm]
+      flags: [uns-admin-perm]
       doc: Add a remote peer
       do:
         pre: ovpn-nl-pre-doit
@@ -409,7 +409,7 @@  operations:
     -
       name: peer-set
       attribute-set: ovpn-peer-set-input
-      flags: [admin-perm]
+      flags: [uns-admin-perm]
       doc: modify a remote peer
       do:
         pre: ovpn-nl-pre-doit
@@ -421,7 +421,7 @@  operations:
     -
       name: peer-get
       attribute-set: ovpn
-      flags: [admin-perm]
+      flags: [uns-admin-perm]
       doc: Retrieve data about existing remote peers (or a specific one)
       do:
         pre: ovpn-nl-pre-doit
@@ -443,7 +443,7 @@  operations:
     -
       name: peer-del
       attribute-set: ovpn-peer-del-input
-      flags: [admin-perm]
+      flags: [uns-admin-perm]
       doc: Delete existing remote peer
       do:
         pre: ovpn-nl-pre-doit
@@ -461,7 +461,7 @@  operations:
     -
       name: key-new
       attribute-set: ovpn
-      flags: [admin-perm]
+      flags: [uns-admin-perm]
       doc: Add a cipher key for a specific peer
       do:
         pre: ovpn-nl-pre-doit
@@ -473,7 +473,7 @@  operations:
     -
       name: key-get
       attribute-set: ovpn-keyconf-get
-      flags: [admin-perm]
+      flags: [uns-admin-perm]
       doc: Retrieve non-sensitive data about peer key and cipher
       do:
         pre: ovpn-nl-pre-doit
@@ -488,7 +488,7 @@  operations:
     -
       name: key-swap
       attribute-set: ovpn-keyconf-swap-input
-      flags: [admin-perm]
+      flags: [uns-admin-perm]
       doc: Swap primary and secondary session keys for a specific peer
       do:
         pre: ovpn-nl-pre-doit
@@ -507,7 +507,7 @@  operations:
     -
       name: key-del
       attribute-set: ovpn-keyconf-del-input
-      flags: [admin-perm]
+      flags: [uns-admin-perm]
       doc: Delete cipher key for a specific peer
       do:
         pre: ovpn-nl-pre-doit
diff --git a/drivers/net/ovpn/netlink-gen.c b/drivers/net/ovpn/netlink-gen.c
index 2147cec7c2c5..6f1237f65674 100644
--- a/drivers/net/ovpn/netlink-gen.c
+++ b/drivers/net/ovpn/netlink-gen.c
@@ -179,7 +179,7 @@  static const struct genl_split_ops ovpn_nl_ops[] = {
 		.post_doit	= ovpn_nl_post_doit,
 		.policy		= ovpn_peer_new_nl_policy,
 		.maxattr	= OVPN_A_PEER,
-		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+		.flags		= GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO,
 	},
 	{
 		.cmd		= OVPN_CMD_PEER_SET,
@@ -188,7 +188,7 @@  static const struct genl_split_ops ovpn_nl_ops[] = {
 		.post_doit	= ovpn_nl_post_doit,
 		.policy		= ovpn_peer_set_nl_policy,
 		.maxattr	= OVPN_A_PEER,
-		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+		.flags		= GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO,
 	},
 	{
 		.cmd		= OVPN_CMD_PEER_GET,
@@ -197,14 +197,14 @@  static const struct genl_split_ops ovpn_nl_ops[] = {
 		.post_doit	= ovpn_nl_post_doit,
 		.policy		= ovpn_peer_get_do_nl_policy,
 		.maxattr	= OVPN_A_PEER,
-		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+		.flags		= GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO,
 	},
 	{
 		.cmd		= OVPN_CMD_PEER_GET,
 		.dumpit		= ovpn_nl_peer_get_dumpit,
 		.policy		= ovpn_peer_get_dump_nl_policy,
 		.maxattr	= OVPN_A_IFINDEX,
-		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DUMP,
+		.flags		= GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DUMP,
 	},
 	{
 		.cmd		= OVPN_CMD_PEER_DEL,
@@ -213,7 +213,7 @@  static const struct genl_split_ops ovpn_nl_ops[] = {
 		.post_doit	= ovpn_nl_post_doit,
 		.policy		= ovpn_peer_del_nl_policy,
 		.maxattr	= OVPN_A_PEER,
-		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+		.flags		= GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO,
 	},
 	{
 		.cmd		= OVPN_CMD_KEY_NEW,
@@ -222,7 +222,7 @@  static const struct genl_split_ops ovpn_nl_ops[] = {
 		.post_doit	= ovpn_nl_post_doit,
 		.policy		= ovpn_key_new_nl_policy,
 		.maxattr	= OVPN_A_KEYCONF,
-		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+		.flags		= GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO,
 	},
 	{
 		.cmd		= OVPN_CMD_KEY_GET,
@@ -231,7 +231,7 @@  static const struct genl_split_ops ovpn_nl_ops[] = {
 		.post_doit	= ovpn_nl_post_doit,
 		.policy		= ovpn_key_get_nl_policy,
 		.maxattr	= OVPN_A_KEYCONF,
-		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+		.flags		= GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO,
 	},
 	{
 		.cmd		= OVPN_CMD_KEY_SWAP,
@@ -240,7 +240,7 @@  static const struct genl_split_ops ovpn_nl_ops[] = {
 		.post_doit	= ovpn_nl_post_doit,
 		.policy		= ovpn_key_swap_nl_policy,
 		.maxattr	= OVPN_A_KEYCONF,
-		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+		.flags		= GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO,
 	},
 	{
 		.cmd		= OVPN_CMD_KEY_DEL,
@@ -249,7 +249,7 @@  static const struct genl_split_ops ovpn_nl_ops[] = {
 		.post_doit	= ovpn_nl_post_doit,
 		.policy		= ovpn_key_del_nl_policy,
 		.maxattr	= OVPN_A_KEYCONF,
-		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+		.flags		= GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO,
 	},
 };