From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x226QPNNYkQOv7LXRaqrW0fjTRkHOpmpWsWLm/CuBILnl2mR0orXe1ZshSAlwlzkeXJ5+JTnt ARC-Seal: i=1; a=rsa-sha256; t=1517256442; cv=none; d=google.com; s=arc-20160816; b=uqRKrNfLsXXdqWlj3HxQdJnaYWgNeK+QZXkCLZfriObsVdh4GWCMZ4gMcqkzMSm2yB 4SrTpx02LR2VQUGAwX5uppdAJNash808EwmsC9kxhd+3pEoY41SAnGYONYg09fKoLFzg tFv/C21LmZYbUMvnn+7eW3MjaRX6RMcy8MpRdLpt0HIcmBbE2LDkvlaEcUDCqng7RblE nROeqNKbzqorYUjyWc1F8BieZ/AdzBADnUHhScMb1FsUJEMAhwX3dvYrTLMIT60H+s8h 3JA4E+kvNPHHl3um53Nie4CmEMbjMGxBFAYSbzI0huVPmRMVSKdWOwWGiq/46XlT6DhQ prrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=5wd7Du7Y0+JjON1gGwCiuzXruvcFyUcScGE//PLXyZU=; b=NHLsZYu0SSC/qp9mva2MdOEuqRh2LsKp+Bz38hxFY6HZe6XTUaaNfVnr8VWU2zE1bz SL9UJQxrH08+6c+8nxzIgkVWO5Yfa+jOspPtEEsl9JzeKwf/bgjxs5QRErUe7msyk5dP f/hWZb46m/GU4VWH+5Ymyv9zCMM+MwzOmN97Bpe7OAkA6cNAV5FxnhyrqLSeEszWun+Z wgDsC5GlwEG5mqmFyFB+kJkyjbLwcDxQUnYI7faRpRZn+mhuTwrjdkVETHjDskF6fWFL xOrhS+C75NLg5n/cnSsghGkZkh5B2BCT9o8RJsEOoaa8Ce0X/IsbG91ytyTnvC98Vqno JRpg== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kevin Cernekee , Pablo Neira Ayuso , Michal Kubecek Subject: [PATCH 3.18 31/52] netfilter: xt_osf: Add missing permission checks Date: Mon, 29 Jan 2018 13:56:49 +0100 Message-Id: <20180129123629.556768281@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123628.168904217@linuxfoundation.org> References: <20180129123628.168904217@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590958646544248855?= X-GMAIL-MSGID: =?utf-8?q?1590958691096868881?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kevin Cernekee commit 916a27901de01446bcf57ecca4783f6cff493309 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso Acked-by: Michal Kubecek Signed-off-by: Greg Kroah-Hartman --- net/netfilter/xt_osf.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/net/netfilter/xt_osf.c +++ b/net/netfilter/xt_osf.c @@ -19,6 +19,7 @@ #include #include +#include #include #include #include @@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct so struct xt_osf_finger *kf = NULL, *sf; int err = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!osf_attrs[OSF_ATTR_FINGER]) return -EINVAL; @@ -112,6 +116,9 @@ static int xt_osf_remove_callback(struct struct xt_osf_finger *sf; int err = -ENOENT; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!osf_attrs[OSF_ATTR_FINGER]) return -EINVAL;