From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x226ggIBca9U0TxChjpOAzvx5rzbKEHR82zsWOh8gC+bsFCS7iO7gNClyJDW1NWpXczpO4I1F ARC-Seal: i=1; a=rsa-sha256; t=1517256399; cv=none; d=google.com; s=arc-20160816; b=EI/ms8w7MQzHBz2La1B6Gu/ywbT0HhemBqZ9po+w1TYvWUBYagS/Aun6M6jVV0SA4B 0iZTdo6Yexm1SdXvmRf4n4eiVqL64Hm0lORQxmNAmDI9bHFS0oCdBHVLfSQBqAGnhnLO XSyHuV9g/aKSKHFRYU9/ry9rtUihH2/7xBzPBd2k7uYNTR2x9cCshgtRqDnpfiJD7HXv sQU2Oj4XyDJsJ1GZvLPpu/qx2FVAK0ofCBlyjWYWSnEBI2Di7zUsP3mz2LvfdnCbTMfg AwIui+Ef7bjjEY2W2fA/oKTUr//s6cAFwqqO49W2lwR7Favuo6C3YDDFW/2ftCNdRK/i WZYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=OHv2zbw7+J5ACIVgPS84bJhYHzfzeBNESYIx0QdxzHU=; b=m+w0x6o8LxipR2lgCMR4i9xpmc61WLwD18rZdruKiaxtUS4RPu2y1SEw29T9yhx4tB AZkHNwE4lACEfMTklPlR/XnHib0ckx8pEoTX8svcD6YmfijlktI9fTceuoSZs8qvtC4D IGKcVQfJVLp1vtd8Kg75zSHWo3ifZ3OqQDChNOI9zwHI0HmzIgoAFx4ExD74JsMlz2Dd 985LSKwZGY2afUPOhOFWJw77VAbMKAIyikpyNdnRFnA6QXePnoyfaid5pfQMnPO71dPZ x+KUpRN00xPlhydqQxQkMHxgK7OfOn1pFPrCFr7Zu3jhqZb+UYp5EB+qlAa43fKhCpd1 b1aw== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kevin Cernekee , Pablo Neira Ayuso , Michal Kubecek Subject: [PATCH 4.4 40/74] netfilter: xt_osf: Add missing permission checks Date: Mon, 29 Jan 2018 13:56:45 +0100 Message-Id: <20180129123849.389817535@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123847.507563674@linuxfoundation.org> References: <20180129123847.507563674@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590958646544248855?= X-GMAIL-MSGID: =?utf-8?q?1590958646544248855?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kevin Cernekee commit 916a27901de01446bcf57ecca4783f6cff493309 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso Acked-by: Michal Kubecek Signed-off-by: Greg Kroah-Hartman --- net/netfilter/xt_osf.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/net/netfilter/xt_osf.c +++ b/net/netfilter/xt_osf.c @@ -19,6 +19,7 @@ #include #include +#include #include #include #include @@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct so struct xt_osf_finger *kf = NULL, *sf; int err = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!osf_attrs[OSF_ATTR_FINGER]) return -EINVAL; @@ -112,6 +116,9 @@ static int xt_osf_remove_callback(struct struct xt_osf_finger *sf; int err = -ENOENT; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!osf_attrs[OSF_ATTR_FINGER]) return -EINVAL;