From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x227eFUWwwtm2+XOHa/wV6fWu6i7ZGgThybNMrQ/cETlBNnK8cdFo6Z2Vx6aO0AognVXCbx+Q ARC-Seal: i=1; a=rsa-sha256; t=1517256749; cv=none; d=google.com; s=arc-20160816; b=a0fDwuwazzBPdAqcH2IseM4w5bmGfgBWAWiBcGguhyUzWTsEHAE+8Ply828qo20gZl uqt149d0Ktkp+FttkWTGWy251QewfoC6TMQmhtbD/d/g42i6q0Kp2+43yBHSZBV+jwqm +ZzCPsdioNRSiDYmI8/2UPyHuGWNI3+1IKatbMQ8ElOEVvMT2Et4LfdGQWJwXt5j4V4G EUGHCe9P+9D/NvhLnirJoo2FGNQsuFd4UzD+OsTA5NWyQT0FChoU1xtTEcC3/7zYX7e+ Hubqr6DO6dCfQjk+PbeiG2qvUxgydWp+b/rej/Z9hs75yR9QKchMn9/q/hWQtYgCo+Yc pcyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=Fe/Orc+OMkb0MfpcIVqyRTceEXDWYSVqYVJ7UGt/zxo=; b=rAh7L8Ur88rgzVI6DQ8lPIwQ0cCWAHgokpF7d3ihuElwO6/kU0nJ93Tka7rhHdKh9U KVXWlu3UhTP5bdxIHgwMvs4dF796eMhy5S3LUNsJyt0Hz7UdPAwgb70AF/aeVVoN2QX5 0DkSVWMH0WBOvUrCNoLtZuOJeBmN2YjxC3V0/6fJ9UdnY6+JWVrViMKijQnT1mUJFA+W 7K3zCct01djYMpe5mP2nTzGLvlWejNA5mB64IxqGE/YZDKOffi04Rd+nBT+obukMkMJj X7G9zj7XkbVoZ05pq5kW4HAKtBMcG4Wuls1eYljOtKgOmhHKfNdxXVam3ZYG501FsBTO mG4w== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kevin Cernekee , Pablo Neira Ayuso , Michal Kubecek Subject: [PATCH 3.18 30/52] netfilter: nfnetlink_cthelper: Add missing permission checks Date: Mon, 29 Jan 2018 13:56:48 +0100 Message-Id: <20180129123629.506022968@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123628.168904217@linuxfoundation.org> References: <20180129123628.168904217@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590958485788856390?= X-GMAIL-MSGID: =?utf-8?q?1590959013327910098?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kevin Cernekee commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso Acked-by: Michal Kubecek Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -392,6 +393,9 @@ nfnl_cthelper_new(struct sock *nfnl, str struct nfnl_cthelper *nlcth; int ret = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) return -EINVAL; @@ -595,6 +599,9 @@ nfnl_cthelper_get(struct sock *nfnl, str struct nfnl_cthelper *nlcth; bool tuple_set = false; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_flags & NLM_F_DUMP) { struct netlink_dump_control c = { .dump = nfnl_cthelper_dump_table, @@ -661,6 +668,9 @@ nfnl_cthelper_del(struct sock *nfnl, str struct nfnl_cthelper *nlcth, *n; int j = 0, ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tb[NFCTH_NAME]) helper_name = nla_data(tb[NFCTH_NAME]);