[Devel] [PATCH RHEL10 COMMIT] netlink: fix repair-mode bypass of the NONROOT_SEND permission check
Konstantin Khorenko
khorenko at virtuozzo.com
Mon Jun 15 13:54:48 MSK 2026
The commit is pushed to "branch-rh10-6.12.0-211.16.1.12.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-211.16.1.el10
------>
commit 1c69a6bb8cf50f5988736308f9e244fc730f02fc
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date: Wed Jun 3 23:54:07 2026 +0200
netlink: fix repair-mode bypass of the NONROOT_SEND permission check
The "skip the send permission check in repair mode" logic was mis-parenthesised:
if ((dst_group || dst_portid) &&
!netlink_allowed(sock, NL_CFG_F_NONROOT_SEND &&
!repair))
goto out;
"&& !repair" was folded into the second argument of netlink_allowed().
Because NL_CFG_F_NONROOT_SEND == (1 << 1) == 2, the expression
"NL_CFG_F_NONROOT_SEND && !repair" evaluates to the int 1 (in non-repair
mode), not 2, so netlink_allowed() tested the NL_CFG_F_NONROOT_RECV bit
(1 << 0) instead of NL_CFG_F_NONROOT_SEND. For a protocol configured with
NONROOT_SEND only (e.g. NETLINK_USERSOCK), flags & NONROOT_RECV == 0, so an
unprivileged multicast/unicast sendmsg started requiring CAP_NET_ADMIN and
failed with -EPERM - a permission regression - while in repair mode the
check was not actually bypassed as intended.
Move "&& !repair" out of the netlink_allowed() argument so the check is the
intended: deny only when the socket is not allowed to send AND we are not in
repair mode.
Fixes: 6f0dc7dd9965 ("netlink: add an ability to restore messages in a receive queue")
https://virtuozzo.atlassian.net/browse/VSTOR-132310
Feature: ve: CRIU support
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
net/netlink/af_netlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 5a065e6cedcb..f686e6ea30ce 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1901,8 +1901,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
dst_group = ffs(addr->nl_groups);
err = -EPERM;
if ((dst_group || dst_portid) &&
- !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND &&
- !repair))
+ !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND) &&
+ !repair)
goto out;
netlink_skb_flags |= NETLINK_SKB_DST;
} else {
More information about the Devel
mailing list