[PATCH 0/5] Raw socket cleanups

[PATCH 0/5] Raw socket cleanups

[Greg Kroah-Hartman]

Ori Nimron pointed out that there are a number of places in the kernel
where you can create a raw socket, without having to have the
CAP_NET_RAW permission.

To resolve this, here's a short patch series to test these odd and old
protocols for this permission before allowing the creation to succeed

All patches are currently against the net tree.

thanks,

greg k-h

Ori Nimron (5):
  mISDN: enforce CAP_NET_RAW for raw sockets
  appletalk: enforce CAP_NET_RAW for raw sockets
  ax25: enforce CAP_NET_RAW for raw sockets
  ieee802154: enforce CAP_NET_RAW for raw sockets
  nfc: enforce CAP_NET_RAW for raw sockets

 drivers/isdn/mISDN/socket.c | 2 ++
 net/appletalk/ddp.c         | 5 +++++
 net/ax25/af_ax25.c          | 2 ++
 net/ieee802154/socket.c     | 3 +++
 net/nfc/llcp_sock.c         | 7 +++++--
 5 files changed, 17 insertions(+), 2 deletions(-)

-- 
2.23.0

[PATCH 1/5] mISDN: enforce CAP_NET_RAW for raw sockets

[Greg Kroah-Hartman]

From: Ori Nimron <orinimron123@gmail.com>

When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked
first.

Signed-off-by: Ori Nimron <orinimron123@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/isdn/mISDN/socket.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
index c6ba37df4b9d..dff4132b3702 100644
--- a/drivers/isdn/mISDN/socket.c
+++ b/drivers/isdn/mISDN/socket.c
@@ -754,6 +754,8 @@ base_sock_create(struct net *net, struct socket *sock, int protocol, int kern)
 
 	if (sock->type != SOCK_RAW)
 		return -ESOCKTNOSUPPORT;
+	if (!capable(CAP_NET_RAW))
+		return -EPERM;
 
 	sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto, kern);
 	if (!sk)
-- 
2.23.0

[PATCH 2/5] appletalk: enforce CAP_NET_RAW for raw sockets

[Greg Kroah-Hartman]

From: Ori Nimron <orinimron123@gmail.com>

When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked
first.

Signed-off-by: Ori Nimron <orinimron123@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/appletalk/ddp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 4072e9d394d6..b41375d4d295 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1023,6 +1023,11 @@ static int atalk_create(struct net *net, struct socket *sock, int protocol,
 	 */
 	if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
 		goto out;
+
+	rc = -EPERM;
+	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
+		goto out;
+
 	rc = -ENOMEM;
 	sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto, kern);
 	if (!sk)
-- 
2.23.0

[PATCH 3/5] ax25: enforce CAP_NET_RAW for raw sockets

[Greg Kroah-Hartman]

From: Ori Nimron <orinimron123@gmail.com>

When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked
first.

Signed-off-by: Ori Nimron <orinimron123@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ax25/af_ax25.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index ca5207767dc2..bb222b882b67 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -855,6 +855,8 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
 		break;
 
 	case SOCK_RAW:
+		if (!capable(CAP_NET_RAW))
+			return -EPERM;
 		break;
 	default:
 		return -ESOCKTNOSUPPORT;
-- 
2.23.0

[PATCH 4/5] ieee802154: enforce CAP_NET_RAW for raw sockets

[Greg Kroah-Hartman]

From: Ori Nimron <orinimron123@gmail.com>

When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be
checked first.

Signed-off-by: Ori Nimron <orinimron123@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ieee802154/socket.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index badc5cfe4dc6..d93d4531aa9b 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -1008,6 +1008,9 @@ static int ieee802154_create(struct net *net, struct socket *sock,
 
 	switch (sock->type) {
 	case SOCK_RAW:
+		rc = -EPERM;
+		if (!capable(CAP_NET_RAW))
+			goto out;
 		proto = &ieee802154_raw_prot;
 		ops = &ieee802154_raw_ops;
 		break;
-- 
2.23.0

Re: [PATCH 4/5] ieee802154: enforce CAP_NET_RAW for raw sockets

[Stefan Schmidt]

Hello.

On 20.09.19 09:35, Greg Kroah-Hartman wrote:
> From: Ori Nimron <orinimron123@gmail.com>
> 
> When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be
> checked first.
> 
> Signed-off-by: Ori Nimron <orinimron123@gmail.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  net/ieee802154/socket.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
> index badc5cfe4dc6..d93d4531aa9b 100644
> --- a/net/ieee802154/socket.c
> +++ b/net/ieee802154/socket.c
> @@ -1008,6 +1008,9 @@ static int ieee802154_create(struct net *net, struct socket *sock,
>  
>  	switch (sock->type) {
>  	case SOCK_RAW:
> +		rc = -EPERM;
> +		if (!capable(CAP_NET_RAW))
> +			goto out;
>  		proto = &ieee802154_raw_prot;
>  		ops = &ieee802154_raw_ops;
>  		break;
> 

I assume this will go as a whole series into net. If you want me to pick
it up into my tree directly let me know.

Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>

regards
Stefan Schmidt

Re: [PATCH 4/5] ieee802154: enforce CAP_NET_RAW for raw sockets

[Greg Kroah-Hartman]

On Sat, Sep 21, 2019 at 01:58:55PM +0200, Stefan Schmidt wrote:
> Hello.
> 
> On 20.09.19 09:35, Greg Kroah-Hartman wrote:
> > From: Ori Nimron <orinimron123@gmail.com>
> > 
> > When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be
> > checked first.
> > 
> > Signed-off-by: Ori Nimron <orinimron123@gmail.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> >  net/ieee802154/socket.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
> > index badc5cfe4dc6..d93d4531aa9b 100644
> > --- a/net/ieee802154/socket.c
> > +++ b/net/ieee802154/socket.c
> > @@ -1008,6 +1008,9 @@ static int ieee802154_create(struct net *net, struct socket *sock,
> >  
> >  	switch (sock->type) {
> >  	case SOCK_RAW:
> > +		rc = -EPERM;
> > +		if (!capable(CAP_NET_RAW))
> > +			goto out;
> >  		proto = &ieee802154_raw_prot;
> >  		ops = &ieee802154_raw_ops;
> >  		break;
> > 
> 
> I assume this will go as a whole series into net. If you want me to pick
> it up into my tree directly let me know.
> 
> Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>

That's up to the networking maintainer, if he does not suck it in, I'll
resend and ask you to take it.

thanks,

greg k-h

[PATCH 5/5] nfc: enforce CAP_NET_RAW for raw sockets

[Greg Kroah-Hartman]

From: Ori Nimron <orinimron123@gmail.com>

When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked
first.

Signed-off-by: Ori Nimron <orinimron123@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/nfc/llcp_sock.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 9b8742947aff..8dfea26536c9 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -1004,10 +1004,13 @@ static int llcp_sock_create(struct net *net, struct socket *sock,
 	    sock->type != SOCK_RAW)
 		return -ESOCKTNOSUPPORT;
 
-	if (sock->type == SOCK_RAW)
+	if (sock->type == SOCK_RAW) {
+		if (!capable(CAP_NET_RAW))
+			return -EPERM;
 		sock->ops = &llcp_rawsock_ops;
-	else
+	} else {
 		sock->ops = &llcp_sock_ops;
+	}
 
 	sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC, kern);
 	if (sk == NULL)
-- 
2.23.0

Re: [PATCH 0/5] Raw socket cleanups

[David Miller]

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 20 Sep 2019 09:35:44 +0200

> Ori Nimron pointed out that there are a number of places in the kernel
> where you can create a raw socket, without having to have the
> CAP_NET_RAW permission.
> 
> To resolve this, here's a short patch series to test these odd and old
> protocols for this permission before allowing the creation to succeed
> 
> All patches are currently against the net tree.

Applied and queued up for -stable.