Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753357AbdLDKcJ (ORCPT ); Mon, 4 Dec 2017 05:32:09 -0500 Received: from mail.us.es ([193.147.175.20]:43650 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753281AbdLDKcI (ORCPT ); Mon, 4 Dec 2017 05:32:08 -0500 Date: Mon, 4 Dec 2017 11:32:00 +0100 X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: Kevin Cernekee Cc: netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks Message-ID: <20171204103200.GA16022@salvia> References: <1512331965-30830-1-git-send-email-cernekee@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1512331965-30830-1-git-send-email-cernekee@chromium.org> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 729 Lines: 19 On Sun, Dec 03, 2017 at 12:12:45PM -0800, Kevin Cernekee wrote: > The capability check in nfnetlink_rcv() verifies that the caller > has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. > However, nfnl_cthelper_list is shared by all net namespaces on the > system. Right, we need per-netns support for nfnetlink_cthelper. > An unprivileged user can create user and net namespaces > in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() > check: Applied to nf, thanks. [...] > I think xt_osf has the same issue with respect to xt_osf_fingers. > Also, it looks like nlmon devices created in an unprivileged netns can > see netlink activity from the init namespace. A fix that one would be good too.