Received: by 10.223.176.5 with SMTP id f5csp3447624wra; Mon, 29 Jan 2018 13:19:39 -0800 (PST) X-Google-Smtp-Source: AH8x225i3HI8eVDlwReHFbgqdnPNU2hg1nUgC2H3fNVgIFdT7vbBRk4uw+q0sIbI0eGxcgSUhLA+ X-Received: by 10.101.70.201 with SMTP id n9mr17048658pgr.74.1517260779474; Mon, 29 Jan 2018 13:19:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517260779; cv=none; d=google.com; s=arc-20160816; b=cYsCGcSTtD6Buy52a6bRQMFXemDZ9iVHOMvt2kCEi3WXKDSr3gRFk3AnYvraNwdzea SNNmEkey+HX4K77+veFoe4J8qafk5zsGsFIS1ULHrzH5eZifY/f9zANRrCNfwiz8qXZX UtnOBEaXSGEMAkNvQJ7BhHLy8tHIeKGWhRCR3W/vjwxZ8OObB2PRhL39fjnmf2A9/LtV 9Cmy8n6VFSYwLXQesq51Pjyy9HbPhhq5vVwz9OZK+U9o4VZVbQoRnkwSPkDE4qGZ3bkN 4Wf/ZbhsxMCizqf3ASHau16Qp32GnpZ7TPvsUdIWwYxGCEglIfYOp0UchFqkNPfiHTW6 m3FA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=GJWElO+YBJ5cu1k5rZzb/cccF2RimI6VL7ZJBJ2hhl4=; b=fol0fJogbm0v6VdMzFP2xJmqoBVtYjEXPud4W+wHRz69VVU8FPHFlLO6TRY82axN9I vkTcufONO/zurZB8s59SzqsP6gcB/1nKEhtN4GV7ajeTpOO7MxXF2sLvBsOMSUBXVLxu kq5R7FDNrploPSd5qZH/JrG+SDgGb00xLSXwhEdUCDp87gdgYWTYWrawZ3u9VBoYcoM6 59BG1pNRjIpi8QjBiQtB1ZSfJa85O7lZd1V3ki/2NkP1tyv302jIcMHbqpxko0uyHXMg QjLT/oXpf9mXXNcUNeB+H4vR6CSnnlLAxkVVLcKnqMBN/dXt5OqvhCBPU2kBrzYt2ueX oRSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i135si7954980pgc.459.2018.01.29.13.19.24; Mon, 29 Jan 2018 13:19:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752239AbeA2UE1 (ORCPT + 99 others); Mon, 29 Jan 2018 15:04:27 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:42604 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752197AbeA2UEY (ORCPT ); Mon, 29 Jan 2018 15:04:24 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 1194C2F0C; Mon, 29 Jan 2018 13:02:09 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kevin Cernekee , Pablo Neira Ayuso , Michal Kubecek Subject: [PATCH 4.4 39/74] netfilter: nfnetlink_cthelper: Add missing permission checks Date: Mon, 29 Jan 2018 13:56:44 +0100 Message-Id: <20180129123849.348697817@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123847.507563674@linuxfoundation.org> References: <20180129123847.507563674@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kevin Cernekee commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream. The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso Acked-by: Michal Kubecek Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -392,6 +393,9 @@ nfnl_cthelper_new(struct sock *nfnl, str struct nfnl_cthelper *nlcth; int ret = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) return -EINVAL; @@ -595,6 +599,9 @@ nfnl_cthelper_get(struct sock *nfnl, str struct nfnl_cthelper *nlcth; bool tuple_set = false; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_flags & NLM_F_DUMP) { struct netlink_dump_control c = { .dump = nfnl_cthelper_dump_table, @@ -661,6 +668,9 @@ nfnl_cthelper_del(struct sock *nfnl, str struct nfnl_cthelper *nlcth, *n; int j = 0, ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tb[NFCTH_NAME]) helper_name = nla_data(tb[NFCTH_NAME]);