Received: by 10.223.176.5 with SMTP id f5csp3352892wra; Mon, 29 Jan 2018 12:06:03 -0800 (PST) X-Google-Smtp-Source: AH8x225RRKeU+GPbUilsKHKD25B8Z9UZPBAUf8ZzjLRfctEhSCbLozr9Sv3qJ6e5Yus08XN2WuCN X-Received: by 10.99.96.131 with SMTP id u125mr22450179pgb.380.1517256363170; Mon, 29 Jan 2018 12:06:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517256363; cv=none; d=google.com; s=arc-20160816; b=BDvfmbUwSXO/HiFr4yeQP0/Ex8Ln/OxXVnSkOZh8Kqg7/21ZJttOPUpM9/s2f9vGnG GUpoFMn2kT+6YxHeEaFpILTR+XMJiX8ZUX1jJfq0fz6sKIda58vGLlc0aHdkKVjxmlBY lJSKmmlNkAYUs6iaE708mS5t//605voZIeJ+2Or+3CQbxuDyFSSMP+yJv+tdk2M3V0Ro s/pHfVwocdeTDJruWNqFeC4AcfngM6IENFAyKFr6QSuZXqGAVNOP/mC/9iULS8ne/0F6 9Arf8J2seGxPshokiDhEqlEJalvdXzkhckKQ2QGWWQ60Unt7MYnXPK/qAlMph+sFyrP8 2WSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=dDu74786ZacLvqZ0/hiKT3IzpvYxAZwEoH92ARjudrQ=; b=clnRK70Da39EvqCmPNz21tTUVurqpblrErCubBWjzzsm5K1+uc8bZRwP5AfBQXKf0x klmUiKuOSireBgNMnXPG1lPpYn4LlQ2zalx87jiKdLY3m6iMGvw50mIr2FuaK5geRsxP 1P+RsOD27DN8q7Bu4p2A/XLuh+yLWkPbTXqZivxoBvCzVa1xcZmS+VJQIhSjiYBHRYbg iPB4h0l/vRdpIuWoYSVNtACKhfTwhUggyLyyUAmZMbUWXyr+KDxF4DdeXdLp12RbYmD8 iHBVTwjwbxDJ44gZIn5mMrOEs4Jo4p4GdXv3uX2KDnGlOFISjNXpEmuYTCuZh6zwTJEk u+qg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c6-v6si5431128plr.681.2018.01.29.12.05.48; Mon, 29 Jan 2018 12:06:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752140AbeA2UEH (ORCPT + 99 others); Mon, 29 Jan 2018 15:04:07 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:41446 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751604AbeA2UEF (ORCPT ); Mon, 29 Jan 2018 15:04:05 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 7E3222FFD; Mon, 29 Jan 2018 13:08:53 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kevin Cernekee , Pablo Neira Ayuso , Michal Kubecek Subject: [PATCH 4.14 04/71] netfilter: nfnetlink_cthelper: Add missing permission checks Date: Mon, 29 Jan 2018 13:56:32 +0100 Message-Id: <20180129123827.598319730@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123827.271171825@linuxfoundation.org> References: <20180129123827.271171825@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kevin Cernekee commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso Acked-by: Michal Kubecek Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net struct nfnl_cthelper *nlcth; int ret = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) return -EINVAL; @@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net struct nfnl_cthelper *nlcth; bool tuple_set = false; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_flags & NLM_F_DUMP) { struct netlink_dump_control c = { .dump = nfnl_cthelper_dump_table, @@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net struct nfnl_cthelper *nlcth, *n; int j = 0, ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tb[NFCTH_NAME]) helper_name = nla_data(tb[NFCTH_NAME]);