Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753968AbdLFICJ (ORCPT ); Wed, 6 Dec 2017 03:02:09 -0500 Received: from mail.us.es ([193.147.175.20]:56072 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752957AbdLFICE (ORCPT ); Wed, 6 Dec 2017 03:02:04 -0500 Date: Wed, 6 Dec 2017 09:01:34 +0100 X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: Kevin Cernekee Cc: netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] netfilter: xt_osf: Add missing permission checks Message-ID: <20171206080134.GA2844@salvia> References: <1512517361-23689-1-git-send-email-cernekee@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1512517361-23689-1-git-send-email-cernekee@chromium.org> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 655 Lines: 16 On Tue, Dec 05, 2017 at 03:42:41PM -0800, Kevin Cernekee wrote: > The capability check in nfnetlink_rcv() verifies that the caller > has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. > However, xt_osf_fingers is shared by all net namespaces on the > system. An unprivileged user can create user and net namespaces > in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() > check: > > vpnns -- nfnl_osf -f /tmp/pf.os > > vpnns -- nfnl_osf -f /tmp/pf.os -d > > These non-root operations successfully modify the systemwide OS > fingerprint list. Add new capable() checks so that they can't. Applied, thanks Kevin.