[PATCH] netlink: fix possible spoofing from non-root processes

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] netlink: fix possible spoofing from non-root processes
@ 2012-08-23 12:09 pablo
  2012-08-24 17:36 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: pablo @ 2012-08-23 12:09 UTC (permalink / raw)
  To: netdev; +Cc: davem

From: Pablo Neira Ayuso <pablo@netfilter.org>

Non-root user-space processes can send Netlink messages to other
processes that are well-known for being subscribed to Netlink
asynchronous notifications. This allows ilegitimate non-root
process to send forged messages to Netlink subscribers.

The userspace process usually verifies the legitimate origin in
two ways:

a) Socket credentials. If UID != 0, then the message comes from
   some ilegitimate process and the message needs to be dropped.

b) Netlink portID. In general, portID == 0 means that the origin
   of the messages comes from the kernel. Thus, discarding any
   message not coming from the kernel.

However, ctnetlink sets the portID in event messages that has
been triggered by some user-space process, eg. conntrack utility.
So other processes subscribed to ctnetlink events, eg. conntrackd,
know that the event was triggered by some user-space action.

Neither of the two ways to discard ilegitimate messages coming
from non-root processes can help for ctnetlink.

This patch adds capability validation in case that dst_pid is set
in netlink_sendmsg(). This approach is aggressive since existing
applications using any Netlink bus to deliver messages between
two user-space processes will break. Note that the exception is
NETLINK_USERSOCK, since it is reserved for netlink-to-netlink
userspace communication.

Still, if anyone wants that his Netlink bus allows netlink-to-netlink
userspace, then they can set NL_NONROOT_SEND. However, by default,
I don't think it makes sense to allow to use NETLINK_ROUTE to
communicate two processes that are sending no matter what information
that is not related to link/neighbouring/routing. They should be using
NETLINK_USERSOCK instead for that.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netlink/af_netlink.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 5463969..998dd18 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1373,7 +1373,8 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
 		dst_pid = addr->nl_pid;
 		dst_group = ffs(addr->nl_groups);
 		err =  -EPERM;
-		if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
+		if ((dst_group || dst_pid) &&
+		    !netlink_capable(sock, NL_NONROOT_SEND))
 			goto out;
 	} else {
 		dst_pid = nlk->dst_pid;
@@ -2147,6 +2148,7 @@ static void __init netlink_add_usersock_entry(void)
 	rcu_assign_pointer(nl_table[NETLINK_USERSOCK].listeners, listeners);
 	nl_table[NETLINK_USERSOCK].module = THIS_MODULE;
 	nl_table[NETLINK_USERSOCK].registered = 1;
+	nl_table[NETLINK_USERSOCK].nl_nonroot = NL_NONROOT_SEND;

 	netlink_table_ungrab();
 }
-- 
1.7.10.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] netlink: fix possible spoofing from non-root processes
  2012-08-23 12:09 [PATCH] netlink: fix possible spoofing from non-root processes pablo
@ 2012-08-24 17:36 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2012-08-24 17:36 UTC (permalink / raw)
  To: pablo; +Cc: netdev

From: pablo@netfilter.org
Date: Thu, 23 Aug 2012 14:09:11 +0200

> From: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> Non-root user-space processes can send Netlink messages to other
> processes that are well-known for being subscribed to Netlink
> asynchronous notifications. This allows ilegitimate non-root
> process to send forged messages to Netlink subscribers.
> 
> The userspace process usually verifies the legitimate origin in
> two ways:
> 
> a) Socket credentials. If UID != 0, then the message comes from
>    some ilegitimate process and the message needs to be dropped.
> 
> b) Netlink portID. In general, portID == 0 means that the origin
>    of the messages comes from the kernel. Thus, discarding any
>    message not coming from the kernel.
> 
> However, ctnetlink sets the portID in event messages that has
> been triggered by some user-space process, eg. conntrack utility.
> So other processes subscribed to ctnetlink events, eg. conntrackd,
> know that the event was triggered by some user-space action.
> 
> Neither of the two ways to discard ilegitimate messages coming
> from non-root processes can help for ctnetlink.
> 
> This patch adds capability validation in case that dst_pid is set
> in netlink_sendmsg(). This approach is aggressive since existing
> applications using any Netlink bus to deliver messages between
> two user-space processes will break. Note that the exception is
> NETLINK_USERSOCK, since it is reserved for netlink-to-netlink
> userspace communication.
> 
> Still, if anyone wants that his Netlink bus allows netlink-to-netlink
> userspace, then they can set NL_NONROOT_SEND. However, by default,
> I don't think it makes sense to allow to use NETLINK_ROUTE to
> communicate two processes that are sending no matter what information
> that is not related to link/neighbouring/routing. They should be using
> NETLINK_USERSOCK instead for that.
> 
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Applied and queued up for -stable, thanks Pablo.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-08-24 17:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-23 12:09 [PATCH] netlink: fix possible spoofing from non-root processes pablo
2012-08-24 17:36 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).