From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x227lmVLwTTU7YlFB2ns1i4NMB/ULiiHJ/MvSuHYRas4APIWpW5SjpK7ggJqEDdYsS9kmEqW9 ARC-Seal: i=1; a=rsa-sha256; t=1517256281; cv=none; d=google.com; s=arc-20160816; b=RPNSC0OW8KEYNT9lLctrE2FZog8Ob3sL7PrPQmxfLe9yLZWy0bG/IDq3TS9ZtBf1ZF 8GP6uN9A023ul/255ppXOm1cBdaNEpehK+xfPuYWpKmBFAheJiyLxXoE3jDy2vRZNBmD HYv6hFcMcImzd/nK89Rw2imeK3NdTt1dI919HK3Li3i3ejOZyskTGzV2Fphg/3Ak3SZl VB/tKbT7xF98jHEeK5ffQKsipDuXHctIZZClXzyeKvmNNcSpEPAkKCwqOthsuEARhq5g 2t/Sys+jq4n0OZW0bRzlV+mP4ar9sNfFKUu7+d35ix/lr7qPrXgbw/RCdSzJxnwzMOCT Yjww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=jmDgrAxRibYw7dJRAawFxf60x2YPKKJ+wSIlhy2Tl6s=; b=yJTRBX6aZeE4QJk9naEk6YSAk/tCU5Bn7YMDDluTUzHdezC+DmqBWofwscUxZK0CCm iWCX0mnJ2nZ9aui1zby/JYPY2zMZMJqHmVSHE/WG1ho2xbCsH56t9ivMXQjei992e/o7 zQNzN+eX+Knoe41HfBFBwgQjRcHI/JXr8TUoFFh56KmOek9dn4w9CiI0y1RwQvcb9N63 qnpWbYfC4Dw09ngf7RBnQ5w8qmi5ucSJbpeijffP9nH/iLFa0mrP/7GNdwa5Pme3s/HY 3++jCkSWni8tctQK/1G9wFSj9UEI0YaHHuIO+S/Ie147WGioU218ENEifNcyEAwodhCz D6qA== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kevin Cernekee , Pablo Neira Ayuso , Michal Kubecek Subject: [PATCH 4.9 20/66] netfilter: nfnetlink_cthelper: Add missing permission checks Date: Mon, 29 Jan 2018 13:56:44 +0100 Message-Id: <20180129123840.892707494@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123839.842860149@linuxfoundation.org> References: <20180129123839.842860149@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590958485788856390?= X-GMAIL-MSGID: =?utf-8?q?1590958522301352390?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kevin Cernekee commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso Acked-by: Michal Kubecek Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -392,6 +393,9 @@ static int nfnl_cthelper_new(struct net struct nfnl_cthelper *nlcth; int ret = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) return -EINVAL; @@ -595,6 +599,9 @@ static int nfnl_cthelper_get(struct net struct nfnl_cthelper *nlcth; bool tuple_set = false; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_flags & NLM_F_DUMP) { struct netlink_dump_control c = { .dump = nfnl_cthelper_dump_table, @@ -661,6 +668,9 @@ static int nfnl_cthelper_del(struct net struct nfnl_cthelper *nlcth, *n; int j = 0, ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tb[NFCTH_NAME]) helper_name = nla_data(tb[NFCTH_NAME]);