From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: Kevin Cernekee <cernekee@chromium.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 3.18 18/25] netfilter: xt_osf: Add missing permission checks
Date: Sun, 28 Jan 2018 22:29:56 +0000 [thread overview]
Message-ID: <20180128222931.7781-18-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180128222931.7781-1-alexander.levin@microsoft.com>
From: Kevin Cernekee <cernekee@chromium.org>
[ Upstream commit 916a27901de01446bcf57ecca4783f6cff493309 ]
The capability check in nfnetlink_rcv() verifies that the caller
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
However, xt_osf_fingers is shared by all net namespaces on the
system. An unprivileged user can create user and net namespaces
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
check:
vpnns -- nfnl_osf -f /tmp/pf.os
vpnns -- nfnl_osf -f /tmp/pf.os -d
These non-root operations successfully modify the systemwide OS
fingerprint list. Add new capable() checks so that they can't.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
net/netfilter/xt_osf.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index c529161cdbf8..99f3146b7337 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -19,6 +19,7 @@
#include <linux/module.h>
#include <linux/kernel.h>
+#include <linux/capability.h>
#include <linux/if.h>
#include <linux/inetdevice.h>
#include <linux/ip.h>
@@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb,
struct xt_osf_finger *kf = NULL, *sf;
int err = 0;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (!osf_attrs[OSF_ATTR_FINGER])
return -EINVAL;
@@ -112,6 +116,9 @@ static int xt_osf_remove_callback(struct sock *ctnl, struct sk_buff *skb,
struct xt_osf_finger *sf;
int err = -ENOENT;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (!osf_attrs[OSF_ATTR_FINGER])
return -EINVAL;
--
2.11.0
next prev parent reply other threads:[~2018-01-28 22:30 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-28 22:29 [PATCH AUTOSEL for 3.18 01/25] usb: build drivers/usb/common/ when USB_SUPPORT is set Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 02/25] ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 03/25] ARM: dts: am4372: Correct the interrupts_properties of McASP Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 04/25] perf top: Fix window dimensions change handling Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 05/25] perf bench numa: Fixup discontiguous/sparse numa nodes Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 06/25] media: s5k6aa: describe some function parameters Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 08/25] m68k: add missing SOFTIRQENTRY_TEXT linker section Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 07/25] scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 09/25] powerpc/perf: Fix oops when grouping different pmu events Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 10/25] s390/dasd: prevent prefix I/O error Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 12/25] net_sched: red: Avoid devision by zero Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 11/25] gianfar: fix a flooded alignment reports because of padding issue Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 13/25] net_sched: red: Avoid illegal values Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 14/25] dccp: CVE-2017-8824: use-after-free in DCCP code Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 15/25] btrfs: Fix possible off-by-one in btrfs_search_path_in_tree Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 16/25] 509: fix printing uninitialized stack memory when OID is empty Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 17/25] netfilter: nfnetlink_cthelper: Add missing permission checks Sasha Levin
2018-01-28 22:29 ` Sasha Levin [this message]
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 19/25] spi: sun4i: disable clocks in the remove function Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 20/25] xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies Sasha Levin
2018-01-28 22:29 ` [PATCH AUTOSEL for 3.18 21/25] dmaengine: jz4740: disable/unprepare clk if probe fails Sasha Levin
2018-01-28 22:30 ` [PATCH AUTOSEL for 3.18 23/25] x86/mm/kmmio: Fix mmiotrace for page unaligned addresses Sasha Levin
2018-01-28 22:30 ` [PATCH AUTOSEL for 3.18 24/25] xen: XEN_ACPI_PROCESSOR is Dom0-only Sasha Levin
2018-01-28 22:30 ` [PATCH AUTOSEL for 3.18 25/25] hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180128222931.7781-18-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=cernekee@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).