linux.git - Linux kernel source tree

diff options

author	Stefano Garzarella <sgarzare@redhat.com>	2026-02-12 21:59:16 +0100
committer	Jakub Kicinski <kuba@kernel.org>	2026-02-13 12:28:38 -0800
commit	6a997f38bdf822d4c5cc10b445ff1cb26872580a (patch)
tree	6a32a60dd65bd2bda4e58c905049b6f3f88dfc2b /include/linux/i2c/git@git.tavy.me:linux.git
parent	9dd391493a727464e9a03cfff9356c8e10b8da0b (diff)

vsock: prevent child netns mode switch from local to global

A "local" namespace can change its `child_ns_mode` sysctl to "global", allowing nested namespaces to access global CIDs. This can be exploited by an unprivileged user who gained CAP_NET_ADMIN through a user namespace. Prevent this by rejecting writes that attempt to set `child_ns_mode` to "global" when the current namespace's mode is "local". Fixes: eafb64f40ca4 ("vsock: add netns to vsock core") Cc: bobbyeshleman@meta.com Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com> Link: https://patch.msgid.link/20260212205916.97533-3-sgarzare@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Diffstat (limited to 'include/linux/i2c/git@git.tavy.me:linux.git')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: