[Devel] [PATCH RHEL10 COMMIT] netlink: fix repair-mode bypass of the NONROOT_SEND permission check

Konstantin Khorenko khorenko at virtuozzo.com
Mon Jun 15 13:54:48 MSK 2026


The commit is pushed to "branch-rh10-6.12.0-211.16.1.12.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-211.16.1.el10
------>
commit 1c69a6bb8cf50f5988736308f9e244fc730f02fc
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Wed Jun 3 23:54:07 2026 +0200

    netlink: fix repair-mode bypass of the NONROOT_SEND permission check
    
    The "skip the send permission check in repair mode" logic was mis-parenthesised:
    
            if ((dst_group || dst_portid) &&
                !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND &&
                !repair))
                    goto out;
    
    "&& !repair" was folded into the second argument of netlink_allowed().
    Because NL_CFG_F_NONROOT_SEND == (1 << 1) == 2, the expression
    "NL_CFG_F_NONROOT_SEND && !repair" evaluates to the int 1 (in non-repair
    mode), not 2, so netlink_allowed() tested the NL_CFG_F_NONROOT_RECV bit
    (1 << 0) instead of NL_CFG_F_NONROOT_SEND. For a protocol configured with
    NONROOT_SEND only (e.g. NETLINK_USERSOCK), flags & NONROOT_RECV == 0, so an
    unprivileged multicast/unicast sendmsg started requiring CAP_NET_ADMIN and
    failed with -EPERM - a permission regression - while in repair mode the
    check was not actually bypassed as intended.
    
    Move "&& !repair" out of the netlink_allowed() argument so the check is the
    intended: deny only when the socket is not allowed to send AND we are not in
    repair mode.
    
    Fixes: 6f0dc7dd9965 ("netlink: add an ability to restore messages in a receive queue")
    https://virtuozzo.atlassian.net/browse/VSTOR-132310
    Feature: ve: CRIU support
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 net/netlink/af_netlink.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 5a065e6cedcb..f686e6ea30ce 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1901,8 +1901,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
 		dst_group = ffs(addr->nl_groups);
 		err =  -EPERM;
 		if ((dst_group || dst_portid) &&
-		    !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND &&
-		    !repair))
+		    !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND) &&
+		    !repair)
 			goto out;
 		netlink_skb_flags |= NETLINK_SKB_DST;
 	} else {


More information about the Devel mailing list