From: Cong Wang The netem qdisc has a known security issue with packet duplication that makes it unsafe to use in unprivileged contexts. While netem typically requires CAP_NET_ADMIN to load, users with "root" privileges inside a user namespace also have CAP_NET_ADMIN within that namespace, allowing them to potentially exploit this feature. To address this, we need to restrict the netem duplication to only the initial user namespace. Fixes: 0afb51e72855 ("[PKT_SCHED]: netem: reinsert for duplication") Signed-off-by: Cong Wang --- net/sched/sch_netem.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c index 191f64bd68ff..f87b862c769a 100644 --- a/net/sched/sch_netem.c +++ b/net/sched/sch_netem.c @@ -991,6 +991,12 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt, int ret; qopt = nla_data(opt); + + if (dev_net(qdisc_dev(sch))->user_ns != &init_user_ns && qopt->duplicate) { + NL_SET_ERR_MSG(extack, "Duplication is not allowed in unprivileged namespaces"); + return -EINVAL; + } + ret = parse_attr(tb, TCA_NETEM_MAX, opt, netem_policy, sizeof(*qopt)); if (ret < 0) return ret; -- 2.34.1