* [PATCH v2] libxtables: refuse to run under file capabilities
@ 2026-02-12 13:35 Alan Ross
2026-02-12 13:47 ` Florian Westphal
2026-02-13 11:38 ` Florian Westphal
0 siblings, 2 replies; 6+ messages in thread
From: Alan Ross @ 2026-02-12 13:35 UTC (permalink / raw)
To: netfilter-devel
Extend the existing setuid guard in xtables_init() to also detect
file capabilities via getauxval(AT_SECURE).
Some container runtimes and minimal distributions grant cap_net_admin
via file capabilities (setcap cap_net_admin+ep /usr/sbin/iptables)
rather than running through sudo. In that configuration the kernel
sets AT_SECURE and the dynamic linker strips LD_PRELOAD, but
getuid() == geteuid() so the existing setuid check passes.
Attacker-controlled env vars (XTABLES_LIBDIR, IPTABLES_LIB_DIR,
IP6TABLES_LIB_DIR) still reach dlopen(), allowing arbitrary code
execution as the capability-elevated user.
getauxval(AT_SECURE) is nonzero whenever the kernel has set AT_SECURE
in the auxiliary vector -- this covers both classic setuid/setgid and
file capabilities. Exit with status 111, matching the existing
setuid behavior.
Signed-off-by: Alan Ross <alan@sleuthco.ai>
---
libxtables/xtables.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index af56a75..f872cc6 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -31,6 +31,7 @@
#include <netinet/ether.h>
#include <sys/socket.h>
#include <sys/stat.h>
+#include <sys/auxv.h>
#include <sys/statfs.h>
#include <sys/types.h>
#include <sys/utsname.h>
@@ -331,8 +332,8 @@ void xtables_announce_chain(const char *name)
void xtables_init(void)
{
- /* xtables cannot be used with setuid in a safe way. */
- if (getuid() != geteuid())
+ /* xtables cannot be used with setuid/setcap in a safe way. */
+ if (getuid() != geteuid() || getauxval(AT_SECURE))
_exit(111);
xtables_libdir = getenv("XTABLES_LIBDIR");
--
2.43.0
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH v2] libxtables: refuse to run under file capabilities
2026-02-12 13:35 [PATCH v2] libxtables: refuse to run under file capabilities Alan Ross
@ 2026-02-12 13:47 ` Florian Westphal
2026-02-12 16:15 ` Jan Engelhardt
2026-02-13 11:38 ` Florian Westphal
1 sibling, 1 reply; 6+ messages in thread
From: Florian Westphal @ 2026-02-12 13:47 UTC (permalink / raw)
To: Alan Ross; +Cc: netfilter-devel
Alan Ross <alan@sleuthco.ai> wrote:
> Extend the existing setuid guard in xtables_init() to also detect
> file capabilities via getauxval(AT_SECURE).
I'll apply this tomorrow unless anyone else has any objections.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] libxtables: refuse to run under file capabilities
2026-02-12 13:47 ` Florian Westphal
@ 2026-02-12 16:15 ` Jan Engelhardt
2026-02-12 16:56 ` Alan Ross
0 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2026-02-12 16:15 UTC (permalink / raw)
To: Florian Westphal; +Cc: Alan Ross, netfilter-devel
On Thursday 2026-02-12 14:47, Florian Westphal wrote:
>Alan Ross <alan@sleuthco.ai> wrote:
>>
>>Attacker-controlled env vars (XTABLES_LIBDIR, IPTABLES_LIB_DIR,
>>IP6TABLES_LIB_DIR) still reach dlopen(), allowing arbitrary code
>>execution as the capability-elevated user.
>>
>>Extend the existing setuid guard in xtables_init() to also detect
>>file capabilities via getauxval(AT_SECURE).
>
>I'll apply this tomorrow unless anyone else has any objections.
Ah, but we can test for `#ifdef NO_SHARED_LIBS` to see when dlopen
is not used, in which case setuid/fscap-enabled program binaries
might be tolerable.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] libxtables: refuse to run under file capabilities
2026-02-12 16:15 ` Jan Engelhardt
@ 2026-02-12 16:56 ` Alan Ross
2026-02-12 17:20 ` Florian Westphal
0 siblings, 1 reply; 6+ messages in thread
From: Alan Ross @ 2026-02-12 16:56 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Florian Westphal, netfilter-devel
Good feedback. If the binary is built with NO_SHARED_LIBS (static, no
dlopen()), then the env vars
never reach plugin loading, so the setcap risk is mostly gone and
it's okay to allow it.
The fix is simple — keep the existing setuid guard unconditional,
but gate the new getauxval(AT_SECURE) check behind
#ifndef NO_SHARED_LIBS:
/* xtables cannot be used with setuid in a safe way. */
if (getuid() != geteuid())
_exit(111);
#ifndef NO_SHARED_LIBS
/* When plugins are loaded via dlopen(), file capabilities are
* also unsafe — attacker-controlled env vars reach dlopen(). */
if (getauxval(AT_SECURE))
_exit(111);
#endif
This way:
- Shared builds (default): refuses to run under both setuid and setcap
- Static builds (NO_SHARED_LIBS): still refuses setuid, but allows
setcap since there's no dlopen attack surface
Want me to update the patch file?
On Thu, Feb 12, 2026 at 11:15 AM Jan Engelhardt <ej@inai.de> wrote:
>
>
> On Thursday 2026-02-12 14:47, Florian Westphal wrote:
> >Alan Ross <alan@sleuthco.ai> wrote:
> >>
> >>Attacker-controlled env vars (XTABLES_LIBDIR, IPTABLES_LIB_DIR,
> >>IP6TABLES_LIB_DIR) still reach dlopen(), allowing arbitrary code
> >>execution as the capability-elevated user.
> >>
> >>Extend the existing setuid guard in xtables_init() to also detect
> >>file capabilities via getauxval(AT_SECURE).
> >
> >I'll apply this tomorrow unless anyone else has any objections.
>
> Ah, but we can test for `#ifdef NO_SHARED_LIBS` to see when dlopen
> is not used, in which case setuid/fscap-enabled program binaries
> might be tolerable.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH v2] libxtables: refuse to run under file capabilities
2026-02-12 16:56 ` Alan Ross
@ 2026-02-12 17:20 ` Florian Westphal
0 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2026-02-12 17:20 UTC (permalink / raw)
To: Alan Ross; +Cc: Jan Engelhardt, netfilter-devel
Alan Ross <alan@sleuthco.ai> wrote:
> Good feedback. If the binary is built with NO_SHARED_LIBS (static, no
> dlopen()), then the env vars
> never reach plugin loading, so the setcap risk is mostly gone and
> it's okay to allow it.
Not sure sure. Yes, the dlopen() risk is gone.
But I'm not convinced its safe to setcap this; are we sure there is no
bug in there that could allow to redirect control flow?
CAP_NET_ADMIN is quite powerful, I don't think we should sanction
setcap-installations in any way, so I prefer the strict version.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] libxtables: refuse to run under file capabilities
2026-02-12 13:35 [PATCH v2] libxtables: refuse to run under file capabilities Alan Ross
2026-02-12 13:47 ` Florian Westphal
@ 2026-02-13 11:38 ` Florian Westphal
1 sibling, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2026-02-13 11:38 UTC (permalink / raw)
To: Alan Ross; +Cc: netfilter-devel
Alan Ross <alan@sleuthco.ai> wrote:
> Extend the existing setuid guard in xtables_init() to also detect
> file capabilities via getauxval(AT_SECURE).
Applied, thanks.
For future submissions, please try to set up git-send-email, the patch
was whitespace damaged and did not apply.
I mangled this locally, so no need to resend this one.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-02-13 11:38 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-12 13:35 [PATCH v2] libxtables: refuse to run under file capabilities Alan Ross
2026-02-12 13:47 ` Florian Westphal
2026-02-12 16:15 ` Jan Engelhardt
2026-02-12 16:56 ` Alan Ross
2026-02-12 17:20 ` Florian Westphal
2026-02-13 11:38 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox