From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x224VR1DcirRTbxd1YsHiFZfw8/VfhgpKIYfYDn6EUkXppWSd7Q4xRZGf+KdFRqAFIUMZcbBe ARC-Seal: i=1; a=rsa-sha256; t=1517256895; cv=none; d=google.com; s=arc-20160816; b=VxVBX3oP0vM7Ue+LJtyVaJbHS3rxN+JmGic3A+tBqEMUtHAPAERoCPeYucp7rpZiWw abrEoF923s90pAsui+pJ/L+AdmHrqDeTM0ebtsHkL8Y+bWvgoAzkD8N9AUmRm9708lse iCQIpYyuANJDrvXkZCMP0wKS4JOY9NwKd/FUD4WJ068Gnb2vPXlxDgd45H5/oRo/1K+f UDB20K+XjEQWzu3oO5DbFxxYthRy0T9zZPv3mEpMSAHPy89VHpW4fIX9HnqeyfLTUswg ras9b5C0gzc1Wr9idI2SgJuRXVOe6KGCkf76j6P4A01c1zJof//36REUwFQ0j0PvHsbG Pgvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=IRykF7jC8NrCrcki2CtqIHgfhKFZ4D5ohiZu+fRLXRo=; b=PO19y27gOFyDcFwvcseK0c3fV3iflTu/T2jmYZbm1f0+1KCpyHJHgaOJpWN3YR7jVZ S+Qr23Km3TR/ITkoiApzDFj1tqoVlTjg+6rR+tBMn8h6hvLGQo16IAJNR/DXXCU3swmk EJxiXIX5bHHwXf10kPpI0l2lnxvNASXkBHUfESiXsyi8cD8k37dvjIKf0+jnjPGitXV1 i1rQ0AEJoJ9dyn25uF1n51wGpwmB+WY0vMDBInubgb13ZGXeZ1YeqxcUjXot+UdjGlpK 8nBlpmVHW/vz4Nz9uE64DjCDh+aJLIunMQl3RArozzziT0VOZRTWWX7xWf+D6k90F9ig mDYA== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kevin Cernekee , Pablo Neira Ayuso , Michal Kubecek Subject: [PATCH 4.9 21/66] netfilter: xt_osf: Add missing permission checks Date: Mon, 29 Jan 2018 13:56:45 +0100 Message-Id: <20180129123840.942897695@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123839.842860149@linuxfoundation.org> References: <20180129123839.842860149@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590958646544248855?= X-GMAIL-MSGID: =?utf-8?q?1590959166478145832?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kevin Cernekee commit 916a27901de01446bcf57ecca4783f6cff493309 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso Acked-by: Michal Kubecek Signed-off-by: Greg Kroah-Hartman --- net/netfilter/xt_osf.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/net/netfilter/xt_osf.c +++ b/net/netfilter/xt_osf.c @@ -19,6 +19,7 @@ #include #include +#include #include #include #include @@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct ne struct xt_osf_finger *kf = NULL, *sf; int err = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!osf_attrs[OSF_ATTR_FINGER]) return -EINVAL; @@ -113,6 +117,9 @@ static int xt_osf_remove_callback(struct struct xt_osf_finger *sf; int err = -ENOENT; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!osf_attrs[OSF_ATTR_FINGER]) return -EINVAL;