[PATCH v2] libxtables: refuse to run under file capabilities

[PATCH v2] libxtables: refuse to run under file capabilities

[Alan Ross]

 Extend the existing setuid guard in xtables_init() to also detect
  file capabilities via getauxval(AT_SECURE).

  Some container runtimes and minimal distributions grant cap_net_admin
  via file capabilities (setcap cap_net_admin+ep /usr/sbin/iptables)
  rather than running through sudo.  In that configuration the kernel
  sets AT_SECURE and the dynamic linker strips LD_PRELOAD, but
  getuid() == geteuid() so the existing setuid check passes.
  Attacker-controlled env vars (XTABLES_LIBDIR, IPTABLES_LIB_DIR,
  IP6TABLES_LIB_DIR) still reach dlopen(), allowing arbitrary code
  execution as the capability-elevated user.

  getauxval(AT_SECURE) is nonzero whenever the kernel has set AT_SECURE
  in the auxiliary vector -- this covers both classic setuid/setgid and
  file capabilities.  Exit with status 111, matching the existing
  setuid behavior.

  Signed-off-by: Alan Ross <alan@sleuthco.ai>
  ---
   libxtables/xtables.c | 5 +++--
   1 file changed, 3 insertions(+), 2 deletions(-)

  diff --git a/libxtables/xtables.c b/libxtables/xtables.c
  index af56a75..f872cc6 100644
  --- a/libxtables/xtables.c
  +++ b/libxtables/xtables.c
  @@ -31,6 +31,7 @@
   #include <netinet/ether.h>
   #include <sys/socket.h>
   #include <sys/stat.h>
  +#include <sys/auxv.h>
   #include <sys/statfs.h>
   #include <sys/types.h>
   #include <sys/utsname.h>
  @@ -331,8 +332,8 @@ void xtables_announce_chain(const char *name)

   void xtables_init(void)
   {
  -     /* xtables cannot be used with setuid in a safe way. */
  -     if (getuid() != geteuid())
  +     /* xtables cannot be used with setuid/setcap in a safe way. */
  +     if (getuid() != geteuid() || getauxval(AT_SECURE))
                _exit(111);

        xtables_libdir = getenv("XTABLES_LIBDIR");
  --
  2.43.0

Re: [PATCH v2] libxtables: refuse to run under file capabilities

[Florian Westphal]

Alan Ross <alan@sleuthco.ai> wrote:
>  Extend the existing setuid guard in xtables_init() to also detect
>   file capabilities via getauxval(AT_SECURE).

I'll apply this tomorrow unless anyone else has any objections.

Re: [PATCH v2] libxtables: refuse to run under file capabilities

[Jan Engelhardt]

On Thursday 2026-02-12 14:47, Florian Westphal wrote:
>Alan Ross <alan@sleuthco.ai> wrote:
>>
>>Attacker-controlled env vars (XTABLES_LIBDIR, IPTABLES_LIB_DIR,
>>IP6TABLES_LIB_DIR) still reach dlopen(), allowing arbitrary code
>>execution as the capability-elevated user.
>>
>>Extend the existing setuid guard in xtables_init() to also detect
>>file capabilities via getauxval(AT_SECURE).
>
>I'll apply this tomorrow unless anyone else has any objections.

Ah, but we can test for `#ifdef NO_SHARED_LIBS` to see when dlopen
is not used, in which case setuid/fscap-enabled program binaries
might be tolerable.

Re: [PATCH v2] libxtables: refuse to run under file capabilities

[Alan Ross]

 Good feedback. If the binary is built with NO_SHARED_LIBS (static, no
dlopen()), then the env vars
  never reach plugin loading, so the setcap risk is mostly gone and
it's okay to allow it.

  The fix is simple — keep the existing setuid guard unconditional,
but gate the new getauxval(AT_SECURE) check behind
  #ifndef NO_SHARED_LIBS:

  /* xtables cannot be used with setuid in a safe way. */
  if (getuid() != geteuid())
      _exit(111);
  #ifndef NO_SHARED_LIBS
  /* When plugins are loaded via dlopen(), file capabilities are
   * also unsafe — attacker-controlled env vars reach dlopen(). */
  if (getauxval(AT_SECURE))
      _exit(111);
  #endif

  This way:
  - Shared builds (default): refuses to run under both setuid and setcap
  - Static builds (NO_SHARED_LIBS): still refuses setuid, but allows
setcap since there's no dlopen attack surface

  Want me to update the patch file?


On Thu, Feb 12, 2026 at 11:15 AM Jan Engelhardt <ej@inai.de> wrote:
>
>
> On Thursday 2026-02-12 14:47, Florian Westphal wrote:
> >Alan Ross <alan@sleuthco.ai> wrote:
> >>
> >>Attacker-controlled env vars (XTABLES_LIBDIR, IPTABLES_LIB_DIR,
> >>IP6TABLES_LIB_DIR) still reach dlopen(), allowing arbitrary code
> >>execution as the capability-elevated user.
> >>
> >>Extend the existing setuid guard in xtables_init() to also detect
> >>file capabilities via getauxval(AT_SECURE).
> >
> >I'll apply this tomorrow unless anyone else has any objections.
>
> Ah, but we can test for `#ifdef NO_SHARED_LIBS` to see when dlopen
> is not used, in which case setuid/fscap-enabled program binaries
> might be tolerable.

Re: [PATCH v2] libxtables: refuse to run under file capabilities

[Florian Westphal]

Alan Ross <alan@sleuthco.ai> wrote:
>  Good feedback. If the binary is built with NO_SHARED_LIBS (static, no
> dlopen()), then the env vars
>   never reach plugin loading, so the setcap risk is mostly gone and
> it's okay to allow it.

Not sure sure.  Yes, the dlopen() risk is gone.

But I'm not convinced its safe to setcap this; are we sure there is no
bug in there that could allow to redirect control flow?

CAP_NET_ADMIN is quite powerful, I don't think we should sanction
setcap-installations in any way, so I prefer the strict version.

Re: [PATCH v2] libxtables: refuse to run under file capabilities

[Florian Westphal]

Alan Ross <alan@sleuthco.ai> wrote:
> Extend the existing setuid guard in xtables_init() to also detect
> file capabilities via getauxval(AT_SECURE).

Applied, thanks.

For future submissions, please try to set up git-send-email, the patch
was whitespace damaged and did not apply.

I mangled this locally, so no need to resend this one.