From patchwork Thu May 14 23:23:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 4946 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a719:b0:84a:48f:a1fd with SMTP id hl25csp4176562mab; Thu, 14 May 2026 16:24:03 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ8McFwmXQXCx2NYJYbeLPvCsJqjJTVjSnR7YCzwM5BxHnbVQLTic0QyEcJH8dECakbOVy5ZybFLlNc=@openvpn.net X-Received: by 2002:a05:6820:1787:b0:69b:545b:a182 with SMTP id 006d021491bc7-69c9436f327mr1094134eaf.32.1778801043579; Thu, 14 May 2026 16:24:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1778801043; cv=none; d=google.com; s=arc-20240605; b=H4JqzFKL7CZVgs38OqXPs0VSXU1905/orWarmSaDfR6b/LztTz2+Xu26JCbkMBlcNK dyl+Uf/dWbB5ku5ZsFy0eBCIPbbovVqdXw1WzohmvnsFkzU8u0JWlNGLLlAd2h4SXG3G xL0IDoloiFiwG7hPGmCj+u/4ilzgUO9Xhchigbw/t691dG2LZU7AR5tR16TVJAybj8Yj Ujx5ZJ0PBe2TrMnRxE7stuBvMMPs0zrpV2fdz6Oi01j1VQEw8KvS4s7BPDV5zmQme+Oy OlivT1/5FjJzv1yW+Cvw2sCBxFxKJ+YwwuHfgVe71uf1Rgt4GYho8b3AkI3CrPM5uVu5 XETA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature:dkim-signature; bh=PiPKkgmaoyJkiydostbptZprk9P+wrQ92Kpe0YmK5tQ=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=A+/vOZqbDwSWZy7si9LITQjtDX2Maj345o8mA0FHpqSvbVd3Mn362d9FajwYYt7oJA bQoPkysHG3n8M3NUYc3nclorNBwl29SkrMx9YCsj5JPhSxtGNi7Xxn69wNfRm273AqQX BbsSG1vZZl5IS6+YgL1X2C+O3E/JkAY8ofC6ClWZXXu4gMJ7FCMA+XDqmu9BYrGsFpIx q4BmZgq+iB5tBr3edSAOWcGSkRE9Mtplwir/pdCDam1+6S4/C2gzETgXqS3PWovfEsS4 mQmn9iq6LLb7yDyls1ZUhxSmugSt/nj6iZ0XkARpn33pFFgnMN3uUi82E7oXDUryoqFB RZvg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=NP7Y48Z8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=kzB36lLa; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=NV17uYTE; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=HYPRWVh6; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 006d021491bc7-69d01310126si281378eaf.16.2026.05.14.16.24.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 May 2026 16:24:03 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=NP7Y48Z8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=kzB36lLa; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=NV17uYTE; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=HYPRWVh6; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=PiPKkgmaoyJkiydostbptZprk9P+wrQ92Kpe0YmK5tQ=; b=NP7Y48Z8cealkAtWxwwWVbDEpc RcNNUcH86Lcq1jeGD9pHo/ZKq3D39V4RVXuhbQjMavZCrVJWxqbS2WjcYXDnnGDRr0f/+YmlxORQY Uf/sTOTYgcfMxBeW8MBRnZIfXV4uXyHvrdbbZmktp2Z+f/sx+DHH487BnIy3qdsf2sRE=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wNfPJ-0003sT-HV; Thu, 14 May 2026 23:23:57 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wNfPH-0003sJ-Q7 for openvpn-devel@lists.sourceforge.net; Thu, 14 May 2026 23:23:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/yDB4T864RCIAPAtZan4Cvu1ucuaOrjHc4ek6raz4PM=; b=kzB36lLaG9E7r/qZ+zd8mxb3Gt 5WoyDC3H75kHvB6G/ESYYip9S/fS2UJdZFRaGjGCWDfSaguO6els34c2q5tgzG8wPhSMKkMXt4GIc /6dNXYVJCmT63ii6tQWibGlovf+mSQTlh7eHUzg3JAOtLD9X/G8lFa8aeZvBE6wWrh1Y=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=/yDB4T864RCIAPAtZan4Cvu1ucuaOrjHc4ek6raz4PM=; b=N V17uYTEeZPFmtf45/xJ7by9R50Ih/aCPiZRFRjapfgd/TZ0fS7RI3pMD/R+kEU0PMZSBtz6mF2WIc aXhJy/B3GlQZb0hoytlQKyI4juOwwyTlDRhQ7N2Fz2V4gDB7mlr9wX8O0Vk6r8M0KSkIpoZ/T2AY1 bvTzwnTv8Fat7QUM=; Received: from mout-p-101.mailbox.org ([80.241.56.151]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wNfPG-0003Bc-DS for openvpn-devel@lists.sourceforge.net; Thu, 14 May 2026 23:23:55 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4gGmc2393yz9v70; Fri, 15 May 2026 01:23:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unstable.cc; s=MBO0001; t=1778801026; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=/yDB4T864RCIAPAtZan4Cvu1ucuaOrjHc4ek6raz4PM=; b=HYPRWVh65hJVS3dYdA2ckHwwruUMngoz8Qz7a+yz+jKOmoaGNP5B+XTWoTzx2Z6T68VyUx Wu7ErXpRmfS9PYj5OXvQmJRsMhLXdOW9iPe3ze8f6k/fFdyh3VqmlnA7kGJnx+4BJHTLis F49vhNubsOvLM+bNUJODLU4dRegBqweDjorBXPSOiqsJQvja6wxNerjy9X6hhDvgDfKni9 ay+nZh20ovEKA/kBLOgPGlFMh+boGZ5tToUszXKbXhFBmESeDTqj91bd+Xv5W+GzBivaIO ALxfDMh2vhQxKg4tQje6nfXLqoMsE6/45XGAu55uOz07KQ1oAKooOEQwQ9Fc4g== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of a@unstable.cc designates 2001:67c:2050:b231:465::202 as permitted sender) smtp.mailfrom=a@unstable.cc From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Fri, 15 May 2026 01:23:43 +0200 Message-ID: <20260514232343.805411-1-a@unstable.cc> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4gGmc2393yz9v70 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli Netlink API calls can be allowed as long as the user has CAP_NET_ADMIN in the source namespace. There is no need to enforce broader capabilities. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1wNfPG-0003Bc-DS Subject: [Openvpn-devel] [PATCH ovpn net-next] ovpn: netlink - check CAP_NET_ADMIN in source namespace only X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1865208083230118617?= X-GMAIL-MSGID: =?utf-8?q?1865208083230118617?= From: Antonio Quartulli Netlink API calls can be allowed as long as the user has CAP_NET_ADMIN in the source namespace. There is no need to enforce broader capabilities. Therefore switch to GENL_UNS_ADMIN_PERM for all netlink ops. Closes: https://github.com/OpenVPN/ovpn-net-next/issues/33 Signed-off-by: Antonio Quartulli --- Documentation/netlink/specs/ovpn.yaml | 16 ++++++++-------- drivers/net/ovpn/netlink-gen.c | 18 +++++++++--------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/Documentation/netlink/specs/ovpn.yaml b/Documentation/netlink/specs/ovpn.yaml index b0c782e59a32..5d1f71b2ff78 100644 --- a/Documentation/netlink/specs/ovpn.yaml +++ b/Documentation/netlink/specs/ovpn.yaml @@ -397,7 +397,7 @@ operations: - name: peer-new attribute-set: ovpn-peer-new-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Add a remote peer do: pre: ovpn-nl-pre-doit @@ -409,7 +409,7 @@ operations: - name: peer-set attribute-set: ovpn-peer-set-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: modify a remote peer do: pre: ovpn-nl-pre-doit @@ -421,7 +421,7 @@ operations: - name: peer-get attribute-set: ovpn - flags: [admin-perm] + flags: [uns-admin-perm] doc: Retrieve data about existing remote peers (or a specific one) do: pre: ovpn-nl-pre-doit @@ -443,7 +443,7 @@ operations: - name: peer-del attribute-set: ovpn-peer-del-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Delete existing remote peer do: pre: ovpn-nl-pre-doit @@ -461,7 +461,7 @@ operations: - name: key-new attribute-set: ovpn - flags: [admin-perm] + flags: [uns-admin-perm] doc: Add a cipher key for a specific peer do: pre: ovpn-nl-pre-doit @@ -473,7 +473,7 @@ operations: - name: key-get attribute-set: ovpn-keyconf-get - flags: [admin-perm] + flags: [uns-admin-perm] doc: Retrieve non-sensitive data about peer key and cipher do: pre: ovpn-nl-pre-doit @@ -488,7 +488,7 @@ operations: - name: key-swap attribute-set: ovpn-keyconf-swap-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Swap primary and secondary session keys for a specific peer do: pre: ovpn-nl-pre-doit @@ -507,7 +507,7 @@ operations: - name: key-del attribute-set: ovpn-keyconf-del-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Delete cipher key for a specific peer do: pre: ovpn-nl-pre-doit diff --git a/drivers/net/ovpn/netlink-gen.c b/drivers/net/ovpn/netlink-gen.c index 2147cec7c2c5..6f1237f65674 100644 --- a/drivers/net/ovpn/netlink-gen.c +++ b/drivers/net/ovpn/netlink-gen.c @@ -179,7 +179,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_new_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_SET, @@ -188,7 +188,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_set_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_GET, @@ -197,14 +197,14 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_get_do_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_GET, .dumpit = ovpn_nl_peer_get_dumpit, .policy = ovpn_peer_get_dump_nl_policy, .maxattr = OVPN_A_IFINDEX, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DUMP, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DUMP, }, { .cmd = OVPN_CMD_PEER_DEL, @@ -213,7 +213,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_del_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_NEW, @@ -222,7 +222,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_new_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_GET, @@ -231,7 +231,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_get_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_SWAP, @@ -240,7 +240,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_swap_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_DEL, @@ -249,7 +249,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_del_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, };