From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Kevin Cernekee <cernekee@chromium.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Michal Kubecek <mkubecek@suse.cz>
Subject: [PATCH 3.18 31/52] netfilter: xt_osf: Add missing permission checks
Date: Mon, 29 Jan 2018 13:56:49 +0100 [thread overview]
Message-ID: <20180129123629.556768281@linuxfoundation.org> (raw)
In-Reply-To: <20180129123628.168904217@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Cernekee <cernekee@chromium.org>
commit 916a27901de01446bcf57ecca4783f6cff493309 upstream.
The capability check in nfnetlink_rcv() verifies that the caller
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
However, xt_osf_fingers is shared by all net namespaces on the
system. An unprivileged user can create user and net namespaces
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
check:
vpnns -- nfnl_osf -f /tmp/pf.os
vpnns -- nfnl_osf -f /tmp/pf.os -d
These non-root operations successfully modify the systemwide OS
fingerprint list. Add new capable() checks so that they can't.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/xt_osf.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -19,6 +19,7 @@
#include <linux/module.h>
#include <linux/kernel.h>
+#include <linux/capability.h>
#include <linux/if.h>
#include <linux/inetdevice.h>
#include <linux/ip.h>
@@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct so
struct xt_osf_finger *kf = NULL, *sf;
int err = 0;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (!osf_attrs[OSF_ATTR_FINGER])
return -EINVAL;
@@ -112,6 +116,9 @@ static int xt_osf_remove_callback(struct
struct xt_osf_finger *sf;
int err = -ENOENT;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (!osf_attrs[OSF_ATTR_FINGER])
return -EINVAL;
next prev parent reply other threads:[~2018-01-29 12:56 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-29 12:56 [PATCH 3.18 00/52] 3.18.93-stable review Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 01/52] gcov: disable for COMPILE_TEST Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 02/52] scsi: sg: disable SET_FORCE_LOW_DMA Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 03/52] futex: Prevent overflow by strengthen input validation Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 04/52] ALSA: pcm: Remove yet superfluous WARN_ON() Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 05/52] ALSA: hda - Apply the existing quirk to iMac 14,1 Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 06/52] af_key: fix buffer overread in verify_address_len() Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 07/52] af_key: fix buffer overread in parse_exthdrs() Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 08/52] pipe: avoid round_pipe_size() nr_pages overflow on 32-bit Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 09/52] Input: 88pm860x-ts - fix child-node lookup Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 10/52] Input: twl6040-vibra - fix DT node memory management Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 11/52] Input: twl6040-vibra - fix child-node lookup Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 12/52] Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 13/52] Input: twl4030-vibra - fix sibling-node lookup Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 14/52] phy: work around phys references to usb-nop-xceiv devices Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 15/52] ARM: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7 Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 16/52] dm btree: fix serious bug in btree_split_beneath() Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 17/52] dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6 Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 18/52] arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 19/52] MIPS: AR7: ensure the port types FCR value is used Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 20/52] x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 21/52] usbip: Fix implicit fallthrough warning Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 22/52] can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 23/52] can: af_can: canfd_rcv(): " Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 24/52] mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 25/52] hwpoison, memcg: forcibly uncharge LRU pages Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 26/52] ipc: msg, make msgrcv work with LONG_MIN Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 27/52] netfilter: nf_ct_expect: remove the redundant slash when policy name is empty Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 28/52] netfilter: restart search if moved to other chain Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 29/52] netfilter: nf_conntrack_sip: extend request line validation Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 30/52] netfilter: nfnetlink_cthelper: Add missing permission checks Greg Kroah-Hartman
2018-01-29 12:56 ` Greg Kroah-Hartman [this message]
2018-01-29 12:56 ` [PATCH 3.18 32/52] reiserfs: fix race in prealloc discard Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 33/52] reiserfs: dont preallocate blocks for extended attributes Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 34/52] fs/fcntl: f_setown, avoid undefined behaviour Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 35/52] scsi: libiscsi: fix shifting of DID_REQUEUE host byte Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 36/52] um: link vmlinux with -no-pie Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 37/52] eventpoll.h: add missing epoll event masks Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 38/52] um: Stop abusing __KERNEL__ Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 39/52] um: Remove copy&paste code from init.h Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 40/52] x86/microcode/intel: Extend BDW late-loading further with LLC size check Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 3.18 41/52] net: tcp: close sock if net namespace is exiting Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 3.18 42/52] dccp: dont restart ccid2_hc_tx_rto_expire() if sk in closed state Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 3.18 43/52] net: igmp: fix source address check for IGMPv3 reports Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 3.18 44/52] tcp: __tcp_hdrlen() helper Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 3.18 45/52] net: qdisc_pkt_len_init() should be more robust Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 3.18 46/52] pppoe: take ->needed_headroom of lower device into account on xmit Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 3.18 47/52] sctp: do not allow the v4 socket to bind a v4mapped v6 address Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 3.18 48/52] sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 3.18 49/52] vmxnet3: repair memory leak Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 3.18 50/52] net: Allow neigh contructor functions ability to modify the primary_key Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 3.18 51/52] ipv6: fix udpv6 sendmsg crash caused by too small MTU Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 3.18 52/52] ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY Greg Kroah-Hartman
2018-01-29 23:58 ` [PATCH 3.18 00/52] 3.18.93-stable review Shuah Khan
2018-01-30 7:37 ` Greg Kroah-Hartman
2018-01-30 5:09 ` Harsh Shandilya
2018-01-30 7:38 ` Greg Kroah-Hartman
2018-01-30 14:19 ` Guenter Roeck
2018-01-30 14:51 ` Greg Kroah-Hartman
2018-01-30 18:51 ` Greg Kroah-Hartman
2018-01-30 19:48 ` Guenter Roeck
2018-01-31 8:52 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180129123629.556768281@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cernekee@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkubecek@suse.cz \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).