From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x224/SAK60RBzh/nV+KTr0yGROwtnadA6188QRUtu/STi1x1+S0IxIwd9pJ4spwQyztpdp0ea ARC-Seal: i=1; a=rsa-sha256; t=1517256928; cv=none; d=google.com; s=arc-20160816; b=ig3DME/CwONNBkXSRzy0U+HtArmA58WQBIwbKOX4+CsxF1rA0NhOp9OWNUqrMn2rWS Yyr4dy7dQOBtQhv2YbRj7gRx9cJ8yTcIZZBFOy8w3jycha/UAhtSz1jyg8+8X2YoMwA0 KNU28x/d556+uk7D4wcZwoGB/eBmhhwhNS8QR8vx01potkuNU6ErO62R5W7UneqTiCbh H8LfYiVEiNOPyrijc/iR9TOGaoc/189xM250iTKoawPyL4lGsWfFv4zbNOAGmifu76mj nWMyn1DFmpweQPFaOHFeRmbJNX8FfENH4tpBCFuN3u0WGjvaX0IccUT5jNMegMEByvke afnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=XeU69S1Mvip5JgOZ43ed4y1w7e0cxzwvcx1WO3LKJso=; b=0qtBRSBSmposrByu3lhjiRV7e1RtPL4NllnZ3xJO3dJFPBLBTdeOWEg4xMRNvUKNJS 07o9ICemmGYCD4+UxsCLEU9FQg0nVbRzoOMhimotWyUUUNfxiQt7FYBjJFsM+pCIUfxs ghURiDbOjk20IbfbdznLj8GNsPZKjuKM3bAGjYT+vMH9buVKEflqu66K/MSt3EcAqtTY bs2V3PWcajDiHD0q1tABcMnQ5/jeKAf2eBtW8/NHh1s/Wa4TJ4HbQ6qQfig9yf2qL4TL aWDnc8fj1TclCqAW8D9c/35HP6oUHjQPd888kThSmThvWzsjERYuR40fhSq+rbgSHoiq HrRg== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kevin Cernekee , Pablo Neira Ayuso , Michal Kubecek Subject: [PATCH 4.14 05/71] netfilter: xt_osf: Add missing permission checks Date: Mon, 29 Jan 2018 13:56:33 +0100 Message-Id: <20180129123827.693106349@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123827.271171825@linuxfoundation.org> References: <20180129123827.271171825@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590958646544248855?= X-GMAIL-MSGID: =?utf-8?q?1590959200843643240?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kevin Cernekee commit 916a27901de01446bcf57ecca4783f6cff493309 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso Acked-by: Michal Kubecek Signed-off-by: Greg Kroah-Hartman --- net/netfilter/xt_osf.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/net/netfilter/xt_osf.c +++ b/net/netfilter/xt_osf.c @@ -19,6 +19,7 @@ #include #include +#include #include #include #include @@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct ne struct xt_osf_finger *kf = NULL, *sf; int err = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!osf_attrs[OSF_ATTR_FINGER]) return -EINVAL; @@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct struct xt_osf_finger *sf; int err = -ENOENT; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!osf_attrs[OSF_ATTR_FINGER]) return -EINVAL;