On 03/26/2013 09:50 PM, Pablo Neira Ayuso wrote:

> I remember that report from Florian. After some discussion, I proposed
> this solution:
>
> commit 20e1db19db5d6b9e4e83021595eab0dc8f107bef
> Author: Pablo Neira Ayuso <pablo@netfilter.org>
> Date:   Thu Aug 23 02:09:11 2012 +0000
>
>      netlink: fix possible spoofing from non-root processes
>
> Basically, it disables netlink-to-netlink communications between
> non-root processes (with the exception of NETLINK_USERSOCK), so
> non-root processes cannot spoof messages anymore.

We are a bit in a bind here because we need to support kernels without 
this patch, and we don't want to add symbols to libmnl which aren't part 
of upstream.

Perhaps an interface to access the sender socket address would be an 
acceptable compromise, like the attached patch?  That would be useful 
independently.

-- 
Florian Weimer / Red Hat Product Security Team