Received: by 10.223.176.5 with SMTP id f5csp3443487wra; Mon, 29 Jan 2018 13:15:35 -0800 (PST) X-Google-Smtp-Source: AH8x226erOg7WHiipvmBjK7Mfb7n34v9IhKSgASUVqi00o6U4H3i5rv0GVRSDMd01wbPKcE92f7f X-Received: by 2002:a17:902:8:: with SMTP id 8-v6mr22802668pla.415.1517260535707; Mon, 29 Jan 2018 13:15:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517260535; cv=none; d=google.com; s=arc-20160816; b=RtXXZcs/1XFzJXdYm4lZpw3swQcKQJOwVFLW6hWX0mStbJUf91rwd5IPkby9CC+3ML hOCmbRraYUHeXcm5rTBLZ00y34O4hS3sZFyZhityMygXu2IK6N9EfknLM3S3w/8fqWCy MF0rlgEdpdtul3GypkgG0fC5SclXpJ4QclS9T7NfynI/G1d6EmXu0gkQXCvbOaXQSB9l dsMRQRAYt9hRYd6+D0w2hbhOmDciqMEPCkzZtNlW0l6fmnrp/H+iT1MfQRvkd7fWPwxP 4ObjruAV0zybkUeluV8dCM2/EotJRQmuAV6cMWcCO6gYcek+py+48mcbz/v3w0BrFHnF ANWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=jmDgrAxRibYw7dJRAawFxf60x2YPKKJ+wSIlhy2Tl6s=; b=CNKcXoGkYkQoVpQgzAl92jduZHKOzQl8mwRl4P0QCt2AS6vIqNKDkcufu2YUj/RNL5 c1gfx/8Y3KSF+uwob6rBH4YHv7EO3wLa+9MffwEKq+qhe+wvqkzbgAbUbWG2zUHfJjG6 TUKNIla5qzpQ7jHUlsOtfHz4HJykK2U1PdxAebNQhnKLUG9KsDaJ3OA4MrTxMjLmrIYc yBHWexe7s0zm39o2f/ZcQTjVE1krnikvLxi1gSZ57EHC8Cs4jortrMpT8HtzeHv6Kvls +VHmv9c0usCpsKNnHbcWNDSQ44NQA7p89WzgkHyjJtGiw5QmcVBdUfb4yDTBzTNuuqym fO7w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c80si12566076pfb.182.2018.01.29.13.15.20; Mon, 29 Jan 2018 13:15:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752402AbeA2UEs (ORCPT + 99 others); Mon, 29 Jan 2018 15:04:48 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:43496 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752348AbeA2UEk (ORCPT ); Mon, 29 Jan 2018 15:04:40 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 2A1B42F6D; Mon, 29 Jan 2018 13:04:54 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kevin Cernekee , Pablo Neira Ayuso , Michal Kubecek Subject: [PATCH 4.9 20/66] netfilter: nfnetlink_cthelper: Add missing permission checks Date: Mon, 29 Jan 2018 13:56:44 +0100 Message-Id: <20180129123840.892707494@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123839.842860149@linuxfoundation.org> References: <20180129123839.842860149@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kevin Cernekee commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso Acked-by: Michal Kubecek Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -392,6 +393,9 @@ static int nfnl_cthelper_new(struct net struct nfnl_cthelper *nlcth; int ret = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) return -EINVAL; @@ -595,6 +599,9 @@ static int nfnl_cthelper_get(struct net struct nfnl_cthelper *nlcth; bool tuple_set = false; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_flags & NLM_F_DUMP) { struct netlink_dump_control c = { .dump = nfnl_cthelper_dump_table, @@ -661,6 +668,9 @@ static int nfnl_cthelper_del(struct net struct nfnl_cthelper *nlcth, *n; int j = 0, ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tb[NFCTH_NAME]) helper_name = nla_data(tb[NFCTH_NAME]);