[Devel] [PATCH vz10] netlink: fix repair-mode bypass of the NONROOT_SEND permission check

Vasileios Almpanis vasileios.almpanis at virtuozzo.com
Fri Jun 5 09:34:20 MSK 2026


Reviewed-by: Vasileios Almpanis <vasileios.almpanis at virtuozzo.com>

On 6/4/26 11:11 AM, Konstantin Khorenko wrote:
> The "skip the send permission check in repair mode" logic was mis-parenthesised:
>
> 	if ((dst_group || dst_portid) &&
> 	    !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND &&
> 	    !repair))
> 		goto out;
>
> "&& !repair" was folded into the second argument of netlink_allowed().
> Because NL_CFG_F_NONROOT_SEND == (1 << 1) == 2, the expression
> "NL_CFG_F_NONROOT_SEND && !repair" evaluates to the int 1 (in non-repair
> mode), not 2, so netlink_allowed() tested the NL_CFG_F_NONROOT_RECV bit
> (1 << 0) instead of NL_CFG_F_NONROOT_SEND. For a protocol configured with
> NONROOT_SEND only (e.g. NETLINK_USERSOCK), flags & NONROOT_RECV == 0, so an
> unprivileged multicast/unicast sendmsg started requiring CAP_NET_ADMIN and
> failed with -EPERM - a permission regression - while in repair mode the
> check was not actually bypassed as intended.
>
> Move "&& !repair" out of the netlink_allowed() argument so the check is the
> intended: deny only when the socket is not allowed to send AND we are not in
> repair mode.
>
> Fixes: cec8e3bfc365 ("netlink: add an ability to restore messages in a receive queue")
> https://virtuozzo.atlassian.net/browse/VSTOR-132310
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> ---
>   net/netlink/af_netlink.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 5a065e6cedcb..f686e6ea30ce 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -1901,8 +1901,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
>   		dst_group = ffs(addr->nl_groups);
>   		err =  -EPERM;
>   		if ((dst_group || dst_portid) &&
> -		    !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND &&
> -		    !repair))
> +		    !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND) &&
> +		    !repair)
>   			goto out;
>   		netlink_skb_flags |= NETLINK_SKB_DST;
>   	} else {

-- 
Best regards, Vasileios Almpanis
Software Developer, Virtuozzo.



More information about the Devel mailing list