tun: Check for cap in the netns-owning userns when creating tun

Instead of the ioctl-calling task's own userns. Analogous to how
Linux does a `ns_capable(net->user_ns, CAP_NET_ADMIN)`.

PiperOrigin-RevId: 842903973

Author: shailend-g

pkg/sentry/devices/tundev/tundev.go

@@ -83,7 +83,7 @@ func (fd *tunFD) Ioctl(ctx context.Context, uio usermem.IO, sysno uintptr, args
 
 	switch request {
 	case linux.TUNSETIFF:
-		if !t.HasCapability(linux.CAP_NET_ADMIN) {
+		if !t.HasCapabilityIn(linux.CAP_NET_ADMIN, t.NetworkNamespace().UserNamespace()) {
 			return 0, linuxerr.EPERM
 		}
 		stack, ok := t.NetworkContext().(*netstack.Stack)

test/syscalls/linux/BUILD

@@ -4280,6 +4280,8 @@ cc_binary(
         "//test/util:capability_util",
         "//test/util:file_descriptor",
         "//test/util:fs_util",
+        "//test/util:logging",
+        "//test/util:multiprocess_util",
         "//test/util:posix_error",
         "//test/util:socket_util",
         "//test/util:test_main",

test/syscalls/linux/network_namespace.cc

@@ -18,6 +18,7 @@
 #include "test/syscalls/linux/ip_socket_test_util.h"
 #include "test/util/capability_util.h"
 #include "test/util/file_descriptor.h"
+#include "test/util/linux_capability_util.h"
 #include "test/util/temp_path.h"
 #include "test/util/test_util.h"
 #include "test/util/thread_util.h"

test/syscalls/linux/tuntap.cc

@@ -38,6 +38,9 @@
 #include "test/util/capability_util.h"
 #include "test/util/file_descriptor.h"
 #include "test/util/fs_util.h"
+#include "test/util/linux_capability_util.h"
+#include "test/util/logging.h"
+#include "test/util/multiprocess_util.h"
 #include "test/util/posix_error.h"
 #include "test/util/socket_util.h"
 #include "test/util/test_util.h"
@@ -218,6 +221,31 @@ TEST_F(TuntapTest, CreateInterfaceNoCap) {
   EXPECT_THAT(ioctl(fd.get(), TUNSETIFF, &ifr), SyscallFailsWithErrno(EPERM));
 }
 
+TEST_F(TuntapTest, CreateInterfaceNoCapCantCheatWithUnshare) {
+  AutoCapability cap(CAP_NET_ADMIN, /*has_cap=*/false);
+
+  FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(Open(kDevNetTun, O_RDWR));
+  int fd_raw = fd.get();
+  struct ifreq ifr = {};
+  ifr.ifr_flags |= IFF_TUN;
+  strncpy(ifr.ifr_name, kTunName, IFNAMSIZ);
+
+  // Fork to avoid changing the user namespace of the original test process.
+  EXPECT_THAT(
+      InForkedProcess([&] {
+        // Fails with EPERM because we don't have CAP_NET_ADMIN.
+        TEST_CHECK_ERRNO(syscall(SYS_ioctl, fd_raw, TUNSETIFF, &ifr), EPERM);
+
+        // Enter a new user namespace in which we'd have all caps.
+        TEST_PCHECK(syscall(SYS_unshare, CLONE_NEWUSER) == 0);
+        // Still fails with EPERM because we still don't have CAP_NET_ADMIN in
+        // the owning namespace of the netns, even if we do in the new userns.
+        TEST_CHECK_ERRNO(syscall(SYS_ioctl, fd_raw, TUNSETIFF, &ifr), EPERM);
+        _exit(0);
+      }),
+      IsPosixErrorOkAndHolds(0));
+}
+
 TEST_F(TuntapTest, CreateFixedNameInterface) {
   SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_ADMIN)));