netfilter: nfnetlink_cthelper: Add missing permission checks - Linux Stable

diff options

author	Kevin Cernekee <cernekee@chromium.org>	2017-12-03 12:12:45 -0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-01-31 12:06:11 +0100
commit	a359a437fbc6bb08aa9cc8e25ef4ac3b77ca727b (patch)
tree	12d70f88af5470f36b39da1e5e1674558e8a05d1 /net/netfilter/xt_osf.c
parent	936b21419e7c5be2f81e6dea02fc3d8852f3fb83 (diff)
download	linux-stable-a359a437fbc6bb08aa9cc8e25ef4ac3b77ca727b.tar.gz linux-stable-a359a437fbc6bb08aa9cc8e25ef4ac3b77ca727b.tar.bz2 linux-stable-a359a437fbc6bb08aa9cc8e25ef4ac3b77ca727b.zip

netfilter: nfnetlink_cthelper: Add missing permission checks

commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Michal Kubecek <mkubecek@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'net/netfilter/xt_osf.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: