* [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo @ 2014-04-17 4:41 Andy Lutomirski 2014-04-17 5:21 ` Eric Dumazet ` (2 more replies) 0 siblings, 3 replies; 7+ messages in thread From: Andy Lutomirski @ 2014-04-17 4:41 UTC (permalink / raw) To: Eric W. Biederman, netdev; +Cc: Andy Lutomirski, stable The caller needs capabilities on the namespace being queried, not on their own namespace. This is a security bug, although it likely has only a minor impact. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@amacapital.net> --- Someone should check that I'm right. I had trouble getting 'ss -b' to work, even with plain old sudo. include/linux/sock_diag.h | 2 +- net/core/sock_diag.c | 4 ++-- net/packet/diag.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h index 54f91d3..302ab80 100644 --- a/include/linux/sock_diag.h +++ b/include/linux/sock_diag.h @@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie); void sock_diag_save_cookie(void *sk, __u32 *cookie); int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr); -int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, +int sock_diag_put_filterinfo(struct sock *sk, struct sk_buff *skb, int attrtype); #endif diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c index a0e9cf6..6a7fae2 100644 --- a/net/core/sock_diag.c +++ b/net/core/sock_diag.c @@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype) } EXPORT_SYMBOL_GPL(sock_diag_put_meminfo); -int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, +int sock_diag_put_filterinfo(struct sock *sk, struct sk_buff *skb, int attrtype) { struct nlattr *attr; @@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, unsigned int len; int err = 0; - if (!ns_capable(user_ns, CAP_NET_ADMIN)) { + if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { nla_reserve(skb, attrtype, 0); return 0; } diff --git a/net/packet/diag.c b/net/packet/diag.c index 533ce4f..435ff99 100644 --- a/net/packet/diag.c +++ b/net/packet/diag.c @@ -172,7 +172,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, goto out_nlmsg_trim; if ((req->pdiag_show & PACKET_SHOW_FILTER) && - sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER)) + sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER)) goto out_nlmsg_trim; return nlmsg_end(skb, nlh); -- 1.9.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo 2014-04-17 4:41 [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo Andy Lutomirski @ 2014-04-17 5:21 ` Eric Dumazet 2014-04-17 9:22 ` Nicolas Dichtel 2014-04-17 8:37 ` Eric W. Biederman 2014-04-22 16:54 ` David Miller 2 siblings, 1 reply; 7+ messages in thread From: Eric Dumazet @ 2014-04-17 5:21 UTC (permalink / raw) To: Andy Lutomirski; +Cc: Eric W. Biederman, netdev, stable, Nicolas Dichtel On Wed, 2014-04-16 at 21:41 -0700, Andy Lutomirski wrote: > The caller needs capabilities on the namespace being queried, not on > their own namespace. This is a security bug, although it likely has > only a minor impact. > > Cc: stable@vger.kernel.org > Signed-off-by: Andy Lutomirski <luto@amacapital.net> > --- > > Someone should check that I'm right. I had trouble getting 'ss -b' to > work, even with plain old sudo. > > include/linux/sock_diag.h | 2 +- > net/core/sock_diag.c | 4 ++-- > net/packet/diag.c | 2 +- > 3 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h > index 54f91d3..302ab80 100644 > --- a/include/linux/sock_diag.h > +++ b/include/linux/sock_diag.h > @@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie); > void sock_diag_save_cookie(void *sk, __u32 *cookie); > > int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr); > -int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, > +int sock_diag_put_filterinfo(struct sock *sk, > struct sk_buff *skb, int attrtype); > > #endif > diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c > index a0e9cf6..6a7fae2 100644 > --- a/net/core/sock_diag.c > +++ b/net/core/sock_diag.c > @@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype) > } > EXPORT_SYMBOL_GPL(sock_diag_put_meminfo); > > -int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, > +int sock_diag_put_filterinfo(struct sock *sk, > struct sk_buff *skb, int attrtype) > { > struct nlattr *attr; > @@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, > unsigned int len; > int err = 0; > > - if (!ns_capable(user_ns, CAP_NET_ADMIN)) { > + if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { > nla_reserve(skb, attrtype, 0); > return 0; > } > diff --git a/net/packet/diag.c b/net/packet/diag.c > index 533ce4f..435ff99 100644 > --- a/net/packet/diag.c > +++ b/net/packet/diag.c > @@ -172,7 +172,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, > goto out_nlmsg_trim; > > if ((req->pdiag_show & PACKET_SHOW_FILTER) && > - sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER)) > + sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER)) > goto out_nlmsg_trim; > > return nlmsg_end(skb, nlh); Note you would have more chances CCing the author of the chunk you changed, and giving commit id like that : Fixes: e8d9612c181b ("sock_diag: allow to dump bpf filters") ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo 2014-04-17 5:21 ` Eric Dumazet @ 2014-04-17 9:22 ` Nicolas Dichtel 0 siblings, 0 replies; 7+ messages in thread From: Nicolas Dichtel @ 2014-04-17 9:22 UTC (permalink / raw) To: Eric Dumazet, Andy Lutomirski; +Cc: Eric W. Biederman, netdev, stable Le 17/04/2014 07:21, Eric Dumazet a écrit : > On Wed, 2014-04-16 at 21:41 -0700, Andy Lutomirski wrote: >> The caller needs capabilities on the namespace being queried, not on >> their own namespace. This is a security bug, although it likely has >> only a minor impact. >> >> Cc: stable@vger.kernel.org >> Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo 2014-04-17 4:41 [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo Andy Lutomirski 2014-04-17 5:21 ` Eric Dumazet @ 2014-04-17 8:37 ` Eric W. Biederman 2014-04-17 9:17 ` Nicolas Dichtel 2014-04-17 9:21 ` Nicolas Dichtel 2014-04-22 16:54 ` David Miller 2 siblings, 2 replies; 7+ messages in thread From: Eric W. Biederman @ 2014-04-17 8:37 UTC (permalink / raw) To: Andy Lutomirski; +Cc: netdev, stable, Nicolas Dichtel Andy Lutomirski <luto@amacapital.net> writes: > The caller needs capabilities on the namespace being queried, not on > their own namespace. This is a security bug, although it likely has > only a minor impact. Hmm. Thinking this through. It would likely help to rename sk_user_ns to sk_opener_user_ns to make things clearer. As I read net/core/sock_diag.c anyone is allowed to open a diag socket and send messages to the kernel. Which means the code as written is definitely wrong as checking if we have CAP_NET_ADMIN in the user namespace in which we opened the netlink socket is meaningless. We could very easily have unshared the user namespace and have no permissions whatsoever over the network namespace we are querrying. I see three possibilities here. 1) We simply don't care who gets to read the bpf filter of a socket. 2) We consider reading the bpf filter of a socket an information leak about the socket and the opener of the socket. 3) We consider reading the bpf filter of a socket something we should only let the administrator of a network namespace do. I honestly don't know the intent of the check, and what we are trying to protect against so I don't know why having permissions to protect the bpf filter is important. If we simply don't care we should just delete this permission check. If we want to protect the opener of the socket we probably want something looks a lot like ptrace_may_access(..., PTRACE_MODE_READ) applied to the creds of the socket. Call it ns_capable((sock_opener_user_ns(sk), CAP_NET_ADMIN) for short. And if this is something we just want to limit to administrators of network stacks the check should be ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN) As Andy has coded below. Nicolas what was the intent of having a capability check to protect the bpf filter? What were you trying to protect against with a capability check on the bpf filter? Eric > Cc: stable@vger.kernel.org > Signed-off-by: Andy Lutomirski <luto@amacapital.net> > --- > > Someone should check that I'm right. I had trouble getting 'ss -b' to > work, even with plain old sudo. > > include/linux/sock_diag.h | 2 +- > net/core/sock_diag.c | 4 ++-- > net/packet/diag.c | 2 +- > 3 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h > index 54f91d3..302ab80 100644 > --- a/include/linux/sock_diag.h > +++ b/include/linux/sock_diag.h > @@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie); > void sock_diag_save_cookie(void *sk, __u32 *cookie); > > int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr); > -int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, > +int sock_diag_put_filterinfo(struct sock *sk, > struct sk_buff *skb, int attrtype); > > #endif > diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c > index a0e9cf6..6a7fae2 100644 > --- a/net/core/sock_diag.c > +++ b/net/core/sock_diag.c > @@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype) > } > EXPORT_SYMBOL_GPL(sock_diag_put_meminfo); > > -int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, > +int sock_diag_put_filterinfo(struct sock *sk, > struct sk_buff *skb, int attrtype) > { > struct nlattr *attr; > @@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, > unsigned int len; > int err = 0; > > - if (!ns_capable(user_ns, CAP_NET_ADMIN)) { > + if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { > nla_reserve(skb, attrtype, 0); > return 0; > } > diff --git a/net/packet/diag.c b/net/packet/diag.c > index 533ce4f..435ff99 100644 > --- a/net/packet/diag.c > +++ b/net/packet/diag.c > @@ -172,7 +172,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, > goto out_nlmsg_trim; > > if ((req->pdiag_show & PACKET_SHOW_FILTER) && > - sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER)) > + sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER)) > goto out_nlmsg_trim; > > return nlmsg_end(skb, nlh); ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo 2014-04-17 8:37 ` Eric W. Biederman @ 2014-04-17 9:17 ` Nicolas Dichtel 2014-04-17 9:21 ` Nicolas Dichtel 1 sibling, 0 replies; 7+ messages in thread From: Nicolas Dichtel @ 2014-04-17 9:17 UTC (permalink / raw) To: Eric W. Biederman, Andy Lutomirski; +Cc: netdev, stable Le 17/04/2014 10:37, Eric W. Biederman a écrit : > Andy Lutomirski <luto@amacapital.net> writes: > >> The caller needs capabilities on the namespace being queried, not on >> their own namespace. This is a security bug, although it likely has >> only a minor impact. > > Hmm. Thinking this through. > > It would likely help to rename sk_user_ns to sk_opener_user_ns to make > things clearer. > > As I read net/core/sock_diag.c anyone is allowed to open a diag socket > and send messages to the kernel. > > Which means the code as written is definitely wrong as checking if we > have CAP_NET_ADMIN in the user namespace in which we opened the netlink > socket is meaningless. We could very easily have unshared the user > namespace and have no permissions whatsoever over the network namespace > we are querrying. > > I see three possibilities here. > 1) We simply don't care who gets to read the bpf filter of a socket. > 2) We consider reading the bpf filter of a socket an information leak > about the socket and the opener of the socket. > 3) We consider reading the bpf filter of a socket something we should > only let the administrator of a network namespace do. > > I honestly don't know the intent of the check, and what we are trying to > protect against so I don't know why having permissions to protect the > bpf filter is important. > > If we simply don't care we should just delete this permission check. > > If we want to protect the opener of the socket we probably want > something looks a lot like ptrace_may_access(..., PTRACE_MODE_READ) > applied to the creds of the socket. Call it > > ns_capable((sock_opener_user_ns(sk), CAP_NET_ADMIN) > > for short. > > > And if this is something we just want to limit to administrators > of network stacks the check should be > > ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN) > > As Andy has coded below. > > Nicolas what was the intent of having a capability check to protect the > bpf filter? What were you trying to protect against with a capability > check on the bpf filter? Option 3 was the initial intention. BFP filter contains sensible informations and thus we only want to disclose them to the admin. Nicolas > > Eric > > >> Cc: stable@vger.kernel.org >> Signed-off-by: Andy Lutomirski <luto@amacapital.net> >> --- >> >> Someone should check that I'm right. I had trouble getting 'ss -b' to >> work, even with plain old sudo. >> >> include/linux/sock_diag.h | 2 +- >> net/core/sock_diag.c | 4 ++-- >> net/packet/diag.c | 2 +- >> 3 files changed, 4 insertions(+), 4 deletions(-) >> >> diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h >> index 54f91d3..302ab80 100644 >> --- a/include/linux/sock_diag.h >> +++ b/include/linux/sock_diag.h >> @@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie); >> void sock_diag_save_cookie(void *sk, __u32 *cookie); >> >> int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr); >> -int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, >> +int sock_diag_put_filterinfo(struct sock *sk, >> struct sk_buff *skb, int attrtype); >> >> #endif >> diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c >> index a0e9cf6..6a7fae2 100644 >> --- a/net/core/sock_diag.c >> +++ b/net/core/sock_diag.c >> @@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype) >> } >> EXPORT_SYMBOL_GPL(sock_diag_put_meminfo); >> >> -int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, >> +int sock_diag_put_filterinfo(struct sock *sk, >> struct sk_buff *skb, int attrtype) >> { >> struct nlattr *attr; >> @@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, >> unsigned int len; >> int err = 0; >> >> - if (!ns_capable(user_ns, CAP_NET_ADMIN)) { >> + if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { >> nla_reserve(skb, attrtype, 0); >> return 0; >> } >> diff --git a/net/packet/diag.c b/net/packet/diag.c >> index 533ce4f..435ff99 100644 >> --- a/net/packet/diag.c >> +++ b/net/packet/diag.c >> @@ -172,7 +172,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, >> goto out_nlmsg_trim; >> >> if ((req->pdiag_show & PACKET_SHOW_FILTER) && >> - sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER)) >> + sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER)) >> goto out_nlmsg_trim; >> >> return nlmsg_end(skb, nlh); -- Nicolas DICHTEL 6WIND R&D Engineer Tel: +33 1 39 30 92 41 Fax: +33 1 39 30 92 11 nicolas.dichtel@6wind.com http://www.6wind.com http://www.6windblog.com http://twitter.com/6windsoftware Ce courriel ainsi que toutes les pièces jointes, est uniquement destiné à son ou ses destinataires. Il contient des informations confidentielles qui sont la propriété de 6WIND. Toute révélation, distribution ou copie des informations qu'il contient est strictement interdite. Si vous avez reçu ce message par erreur, veuillez immédiatement le signaler à l'émetteur et détruire toutes les données reçues. This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and contains information that is confidential and proprietary to 6WIND. All unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo 2014-04-17 8:37 ` Eric W. Biederman 2014-04-17 9:17 ` Nicolas Dichtel @ 2014-04-17 9:21 ` Nicolas Dichtel 1 sibling, 0 replies; 7+ messages in thread From: Nicolas Dichtel @ 2014-04-17 9:21 UTC (permalink / raw) To: Eric W. Biederman, Andy Lutomirski; +Cc: netdev, stable [send again the reply without the disclaimer, sorry for that] Le 17/04/2014 10:37, Eric W. Biederman a écrit : > Andy Lutomirski <luto@amacapital.net> writes: > >> The caller needs capabilities on the namespace being queried, not on >> their own namespace. This is a security bug, although it likely has >> only a minor impact. > > Hmm. Thinking this through. > > It would likely help to rename sk_user_ns to sk_opener_user_ns to make > things clearer. > > As I read net/core/sock_diag.c anyone is allowed to open a diag socket > and send messages to the kernel. > > Which means the code as written is definitely wrong as checking if we > have CAP_NET_ADMIN in the user namespace in which we opened the netlink > socket is meaningless. We could very easily have unshared the user > namespace and have no permissions whatsoever over the network namespace > we are querrying. > > I see three possibilities here. > 1) We simply don't care who gets to read the bpf filter of a socket. > 2) We consider reading the bpf filter of a socket an information leak > about the socket and the opener of the socket. > 3) We consider reading the bpf filter of a socket something we should > only let the administrator of a network namespace do. > > I honestly don't know the intent of the check, and what we are trying to > protect against so I don't know why having permissions to protect the > bpf filter is important. > > If we simply don't care we should just delete this permission check. > > If we want to protect the opener of the socket we probably want > something looks a lot like ptrace_may_access(..., PTRACE_MODE_READ) > applied to the creds of the socket. Call it > > ns_capable((sock_opener_user_ns(sk), CAP_NET_ADMIN) > > for short. > > > And if this is something we just want to limit to administrators > of network stacks the check should be > > ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN) > > As Andy has coded below. > > Nicolas what was the intent of having a capability check to protect the > bpf filter? What were you trying to protect against with a capability > check on the bpf filter? Option 3 was the initial intention. BFP filter contains sensible informations and thus we only want to disclose them to the admin. Nicolas > > Eric > > >> Cc: stable@vger.kernel.org >> Signed-off-by: Andy Lutomirski <luto@amacapital.net> >> --- >> >> Someone should check that I'm right. I had trouble getting 'ss -b' to >> work, even with plain old sudo. >> >> include/linux/sock_diag.h | 2 +- >> net/core/sock_diag.c | 4 ++-- >> net/packet/diag.c | 2 +- >> 3 files changed, 4 insertions(+), 4 deletions(-) >> >> diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h >> index 54f91d3..302ab80 100644 >> --- a/include/linux/sock_diag.h >> +++ b/include/linux/sock_diag.h >> @@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie); >> void sock_diag_save_cookie(void *sk, __u32 *cookie); >> >> int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr); >> -int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, >> +int sock_diag_put_filterinfo(struct sock *sk, >> struct sk_buff *skb, int attrtype); >> >> #endif >> diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c >> index a0e9cf6..6a7fae2 100644 >> --- a/net/core/sock_diag.c >> +++ b/net/core/sock_diag.c >> @@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype) >> } >> EXPORT_SYMBOL_GPL(sock_diag_put_meminfo); >> >> -int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, >> +int sock_diag_put_filterinfo(struct sock *sk, >> struct sk_buff *skb, int attrtype) >> { >> struct nlattr *attr; >> @@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, >> unsigned int len; >> int err = 0; >> >> - if (!ns_capable(user_ns, CAP_NET_ADMIN)) { >> + if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { >> nla_reserve(skb, attrtype, 0); >> return 0; >> } >> diff --git a/net/packet/diag.c b/net/packet/diag.c >> index 533ce4f..435ff99 100644 >> --- a/net/packet/diag.c >> +++ b/net/packet/diag.c >> @@ -172,7 +172,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, >> goto out_nlmsg_trim; >> >> if ((req->pdiag_show & PACKET_SHOW_FILTER) && >> - sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER)) >> + sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER)) >> goto out_nlmsg_trim; >> >> return nlmsg_end(skb, nlh); ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo 2014-04-17 4:41 [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo Andy Lutomirski 2014-04-17 5:21 ` Eric Dumazet 2014-04-17 8:37 ` Eric W. Biederman @ 2014-04-22 16:54 ` David Miller 2 siblings, 0 replies; 7+ messages in thread From: David Miller @ 2014-04-22 16:54 UTC (permalink / raw) To: luto; +Cc: ebiederm, netdev, stable From: Andy Lutomirski <luto@amacapital.net> Date: Wed, 16 Apr 2014 21:41:34 -0700 > The caller needs capabilities on the namespace being queried, not on > their own namespace. This is a security bug, although it likely has > only a minor impact. > > Cc: stable@vger.kernel.org > Signed-off-by: Andy Lutomirski <luto@amacapital.net> Applied, thanks. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-04-22 16:54 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-04-17 4:41 [PATCH] net: Fix ns_capable check in sock_diag_put_filterinfo Andy Lutomirski 2014-04-17 5:21 ` Eric Dumazet 2014-04-17 9:22 ` Nicolas Dichtel 2014-04-17 8:37 ` Eric W. Biederman 2014-04-17 9:17 ` Nicolas Dichtel 2014-04-17 9:21 ` Nicolas Dichtel 2014-04-22 16:54 ` David Miller
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.