[Devel] [PATCH vz10] netlink: fix repair-mode bypass of the NONROOT_SEND permission check

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jun 4 12:11:57 MSK 2026


The "skip the send permission check in repair mode" logic was mis-parenthesised:

	if ((dst_group || dst_portid) &&
	    !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND &&
	    !repair))
		goto out;

"&& !repair" was folded into the second argument of netlink_allowed().
Because NL_CFG_F_NONROOT_SEND == (1 << 1) == 2, the expression
"NL_CFG_F_NONROOT_SEND && !repair" evaluates to the int 1 (in non-repair
mode), not 2, so netlink_allowed() tested the NL_CFG_F_NONROOT_RECV bit
(1 << 0) instead of NL_CFG_F_NONROOT_SEND. For a protocol configured with
NONROOT_SEND only (e.g. NETLINK_USERSOCK), flags & NONROOT_RECV == 0, so an
unprivileged multicast/unicast sendmsg started requiring CAP_NET_ADMIN and
failed with -EPERM - a permission regression - while in repair mode the
check was not actually bypassed as intended.

Move "&& !repair" out of the netlink_allowed() argument so the check is the
intended: deny only when the socket is not allowed to send AND we are not in
repair mode.

Fixes: cec8e3bfc365 ("netlink: add an ability to restore messages in a receive queue")
https://virtuozzo.atlassian.net/browse/VSTOR-132310
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 net/netlink/af_netlink.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 5a065e6cedcb..f686e6ea30ce 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1901,8 +1901,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
 		dst_group = ffs(addr->nl_groups);
 		err =  -EPERM;
 		if ((dst_group || dst_portid) &&
-		    !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND &&
-		    !repair))
+		    !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND) &&
+		    !repair)
 			goto out;
 		netlink_skb_flags |= NETLINK_SKB_DST;
 	} else {
-- 
2.47.1



More information about the Devel mailing list