netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] Add CAP_NET_RAW checks to bind() and sendmsg() on a AF_PACKET socket
@ 2010-01-12 23:54 Sridhar Samudrala
  2010-01-13  0:03 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Sridhar Samudrala @ 2010-01-12 23:54 UTC (permalink / raw)
  To: David Miller; +Cc: netdev

CAP_NET_RAW capability check is currently done only when creating
a PF_PACKET socket. But there are so such checks when doing a bind()
to a specific interface or sending a message to a specific interface
via sendmsg() with msg->msg_name.

So when a packet socket fd is passed to an un-privileged process, it
can do a re-bind or send a message to any interface.
We ran into this case when considering using raw socket backend for
KVM guests with libvirt opening the packet socket and passing the fd to
an un-priviliged qemu process.

The following patch adds CAP_NET_RAW checks to bind() and sendmsg()
with msg_name calls.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -958,6 +958,9 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
 		proto	= po->num;
 		addr	= NULL;
 	} else {
+		if (!capable(CAP_NET_RAW))
+			return -EACCES;
+
 		err = -EINVAL;
 		if (msg->msg_namelen < sizeof(struct sockaddr_ll))
 			goto out;
@@ -1075,6 +1078,9 @@ static int packet_snd(struct socket *sock,
 		proto	= po->num;
 		addr	= NULL;
 	} else {
+		if (!capable(CAP_NET_RAW))
+			return -EACCES;
+
 		err = -EINVAL;
 		if (msg->msg_namelen < sizeof(struct sockaddr_ll))
 			goto out;
@@ -1284,6 +1290,8 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
 	struct net_device *dev;
 	int err = -ENODEV;
 
+	if (!capable(CAP_NET_RAW))
+		return -EACCES;
 	/*
 	 *	Check legality
 	 */
@@ -1307,6 +1315,8 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len
 	struct net_device *dev = NULL;
 	int err;
 
+	if (!capable(CAP_NET_RAW))
+		return -EACCES;
 
 	/*
 	 *	Check legality



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [PATCH] Add CAP_NET_RAW checks to bind() and sendmsg() on a AF_PACKET socket
  2010-01-12 23:54 [PATCH] Add CAP_NET_RAW checks to bind() and sendmsg() on a AF_PACKET socket Sridhar Samudrala
@ 2010-01-13  0:03 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2010-01-13  0:03 UTC (permalink / raw)
  To: sri; +Cc: netdev

From: Sridhar Samudrala <sri@us.ibm.com>
Date: Tue, 12 Jan 2010 15:54:00 -0800

> So when a packet socket fd is passed to an un-privileged process, it
> can do a re-bind or send a message to any interface.

I think passing such fd's to an unprivileged process is a
very serious security hole.

There are so many anti-social things you can do with
that even if you control how it is bound.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-01-13  0:03 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-01-12 23:54 [PATCH] Add CAP_NET_RAW checks to bind() and sendmsg() on a AF_PACKET socket Sridhar Samudrala
2010-01-13  0:03 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).