diff options
| author | Kevin Cernekee <cernekee@chromium.org> | 2017-12-03 12:12:45 -0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-01-31 12:06:11 +0100 |
| commit | a359a437fbc6bb08aa9cc8e25ef4ac3b77ca727b (patch) | |
| tree | 12d70f88af5470f36b39da1e5e1674558e8a05d1 /net/netfilter/xt_osf.c | |
| parent | 936b21419e7c5be2f81e6dea02fc3d8852f3fb83 (diff) | |
netfilter: nfnetlink_cthelper: Add missing permission checks
commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream.
The capability check in nfnetlink_rcv() verifies that the caller
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
However, nfnl_cthelper_list is shared by all net namespaces on the
system. An unprivileged user can create user and net namespaces
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
check:
$ nfct helper list
nfct v1.4.4: netlink error: Operation not permitted
$ vpnns -- nfct helper list
{
.name = ftp,
.queuenum = 0,
.l3protonum = 2,
.l4protonum = 6,
.priv_data_len = 24,
.status = enabled,
};
Add capable() checks in nfnetlink_cthelper, as this is cleaner than
trying to generalize the solution.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/netfilter/xt_osf.c')
0 files changed, 0 insertions, 0 deletions