From patchwork Mon May 25 14:36:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 4966 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:788e:b0:861:c897:cb9d with SMTP id d14csp2474084max; Mon, 25 May 2026 07:36:39 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/mTPGcXURhdDaf4/ppGOZotKQ8hnGj0/M+ok+psrdYPfNEU15CkS5aMcSgaUCK6izxbjy2GPAGHk8=@openvpn.net X-Received: by 2002:a05:6820:3090:b0:69d:959e:3fca with SMTP id 006d021491bc7-69d959e45b6mr4796690eaf.57.1779719799166; Mon, 25 May 2026 07:36:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779719799; cv=none; d=google.com; s=arc-20240605; b=fDhZ0IPVEutWaKp+lObuLFuQ3TJVNsowh+5ng4V+JFyUfd47QNFQd1aFcLK4CrBEul 0Pr95gZ1/6S0QEgrQmoLTw9kQOQDLuwzdKyl4UQCkX7qlAGmcBVkL12wXCRt7tAIc/wq 7LrzvPUSkm0V+gwvx2i54rQcaZ5xbyT1BQQCMXyplIa6fwr8th/0bL0WW9xBMOW0KJEs jNMG14wyDfGqgFdeDNw6rv91ZcqoWTGoQTpnEIVOSxnNaBzQTSqVxgrGR0Hx3JoC6/Gy P/dipPSAqPIbP1UgI2P9yy0h7eASYaaoFNW2bpYHJblzW+cPEYMNfxHdE1nH2Wjc1chB AdFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=PiPKkgmaoyJkiydostbptZprk9P+wrQ92Kpe0YmK5tQ=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=dXxb2iZyqcNCPTU82Z5a7uteyo+nXEYvruKcKcvamzIfxPKjK62gO+9qWJkSPBLNm6 5t3/FiNdrSTYk27GfpDUPI8ziwUJUkdBWx4HqtUVLXbB+YNP6tHJwzEKSmp0v5Oz3UJY hibs9ozypVL/S1BuRJ26KWHj02VRqG7qrDGnAok8rPHAf3TGRLjVosjEZCmd/fLkFtfE ijyXwCEtnrr3zupAwQui7YXbowgSviRaFdelDAqb4UKQQ8762Ng/ywI1h3yCKDCx+Byu S35v4CWcwrSFEXqK30afvfmBlszo7up4VWoz/ZEVuW9E16ojy+4p0wyByXCJ+abOlyVO NlTg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dBQd5xjQ; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=iKvQhE3W; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="d9/3izTG"; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=xZWtC+P9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 006d021491bc7-69d83afc041si5865284eaf.71.2026.05.25.07.36.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 May 2026 07:36:39 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dBQd5xjQ; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=iKvQhE3W; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="d9/3izTG"; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=xZWtC+P9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=PiPKkgmaoyJkiydostbptZprk9P+wrQ92Kpe0YmK5tQ=; b=dBQd5xjQBMrDxKRSn4Y/ufZuR9 ABgqFsBzcvolp992b7fZXAXqahKTN1j7BDKnonjSno3IEY4HCKXJkq8jkHjqE53JQmQI2pz9W8GBN ZfqyAu4xtNJ5t6rplD+qzRMd0WopfuXjVIStoNfF6/DAd/gxn0eT7bMIiAjXRd2xQkgM=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wRWPs-00030E-So; Mon, 25 May 2026 14:36:29 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wRWPj-0002zz-Sc for openvpn-devel@lists.sourceforge.net; Mon, 25 May 2026 14:36:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/yDB4T864RCIAPAtZan4Cvu1ucuaOrjHc4ek6raz4PM=; b=iKvQhE3WjiWZ4YB8DVtUzodqmg z0YmL/7XUy10EOwc6GGFxgzS3g9jme+zV/zvWhtlo8LCXqK6mWxKI2HS/y+fBhg6EF3pZGXZQxdF6 p5MFsS8F5YertpIh+4Lx+PRnVMuj/AGZOBkt8+EvkImFlROmFxjHDV4sn/Ep7X701fJA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/yDB4T864RCIAPAtZan4Cvu1ucuaOrjHc4ek6raz4PM=; b=d9/3izTGzL3x12Jwpg1EfZG78m QBPqf7KFVQKysjmO7EEtVBBIdciIJb+wAjpTx/vkwKAon3vNYiHv68Mlft96hTumXeK7AMmTi1dDK RpEHuxJJP9capr3JdpWVWZIO+Y7BV6tVaShpiLxlxZr41kWZxuqSFFslH6clLYfdb7qo=; Received: from mout-p-102.mailbox.org ([80.241.56.152]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wRWPi-0003pE-Vt for openvpn-devel@lists.sourceforge.net; Mon, 25 May 2026 14:36:20 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4gPJNB3ypqz9vJR; Mon, 25 May 2026 16:36:10 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unstable.cc; s=MBO0001; t=1779719770; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/yDB4T864RCIAPAtZan4Cvu1ucuaOrjHc4ek6raz4PM=; b=xZWtC+P9Fgc0mB2PLsuThNnQnS9gFD4czcGTf+CZFO5l45JrrQ5iwWyIfs6G0wKucbB1Ol RWTVaD/iPOwEG8jKcwaAaU8WxtwOgHLr+jd0Ry/3F/oJRRk9zrzna9Fko8NK6dNaBsbArf XbUWeQ5Xzx8VWNHnJ23Rh0XHDbcSgCUr+jd4ig7xT7oNZovBeqzLOrkb0cBfRB76kIrR3K bfvzdYSjjfBYQbLLmWQyqmZkegXRzyj2pp6oOnOsSj/FQVqwcUEqCUUHQoblPDLdxePmfJ ggQYsjkdVzwcrvsChll0bdERw4NYUpLPWFLjNPnClwPGLr7dxs93PuhBCExJlQ== From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 25 May 2026 16:36:06 +0200 Message-ID: <20260525143606.1532168-4-a@unstable.cc> In-Reply-To: <20260525143606.1532168-1-a@unstable.cc> References: <20260525143606.1532168-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli Netlink API calls can be allowed as long as the user has CAP_NET_ADMIN in the source namespace. There is no need to enforce broader capabilities. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1wRWPi-0003pE-Vt Subject: [Openvpn-devel] [PATCH 4/4] ovpn: netlink - check CAP_NET_ADMIN in source namespace only X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1866171468210621567 X-GMAIL-MSGID: 1866171468210621567 From: Antonio Quartulli Netlink API calls can be allowed as long as the user has CAP_NET_ADMIN in the source namespace. There is no need to enforce broader capabilities. Therefore switch to GENL_UNS_ADMIN_PERM for all netlink ops. Closes: https://github.com/OpenVPN/ovpn-net-next/issues/33 Signed-off-by: Antonio Quartulli --- Documentation/netlink/specs/ovpn.yaml | 16 ++++++++-------- drivers/net/ovpn/netlink-gen.c | 18 +++++++++--------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/Documentation/netlink/specs/ovpn.yaml b/Documentation/netlink/specs/ovpn.yaml index b0c782e59a32..5d1f71b2ff78 100644 --- a/Documentation/netlink/specs/ovpn.yaml +++ b/Documentation/netlink/specs/ovpn.yaml @@ -397,7 +397,7 @@ operations: - name: peer-new attribute-set: ovpn-peer-new-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Add a remote peer do: pre: ovpn-nl-pre-doit @@ -409,7 +409,7 @@ operations: - name: peer-set attribute-set: ovpn-peer-set-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: modify a remote peer do: pre: ovpn-nl-pre-doit @@ -421,7 +421,7 @@ operations: - name: peer-get attribute-set: ovpn - flags: [admin-perm] + flags: [uns-admin-perm] doc: Retrieve data about existing remote peers (or a specific one) do: pre: ovpn-nl-pre-doit @@ -443,7 +443,7 @@ operations: - name: peer-del attribute-set: ovpn-peer-del-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Delete existing remote peer do: pre: ovpn-nl-pre-doit @@ -461,7 +461,7 @@ operations: - name: key-new attribute-set: ovpn - flags: [admin-perm] + flags: [uns-admin-perm] doc: Add a cipher key for a specific peer do: pre: ovpn-nl-pre-doit @@ -473,7 +473,7 @@ operations: - name: key-get attribute-set: ovpn-keyconf-get - flags: [admin-perm] + flags: [uns-admin-perm] doc: Retrieve non-sensitive data about peer key and cipher do: pre: ovpn-nl-pre-doit @@ -488,7 +488,7 @@ operations: - name: key-swap attribute-set: ovpn-keyconf-swap-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Swap primary and secondary session keys for a specific peer do: pre: ovpn-nl-pre-doit @@ -507,7 +507,7 @@ operations: - name: key-del attribute-set: ovpn-keyconf-del-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Delete cipher key for a specific peer do: pre: ovpn-nl-pre-doit diff --git a/drivers/net/ovpn/netlink-gen.c b/drivers/net/ovpn/netlink-gen.c index 2147cec7c2c5..6f1237f65674 100644 --- a/drivers/net/ovpn/netlink-gen.c +++ b/drivers/net/ovpn/netlink-gen.c @@ -179,7 +179,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_new_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_SET, @@ -188,7 +188,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_set_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_GET, @@ -197,14 +197,14 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_get_do_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_GET, .dumpit = ovpn_nl_peer_get_dumpit, .policy = ovpn_peer_get_dump_nl_policy, .maxattr = OVPN_A_IFINDEX, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DUMP, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DUMP, }, { .cmd = OVPN_CMD_PEER_DEL, @@ -213,7 +213,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_del_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_NEW, @@ -222,7 +222,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_new_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_GET, @@ -231,7 +231,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_get_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_SWAP, @@ -240,7 +240,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_swap_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_DEL, @@ -249,7 +249,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_del_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, };