summaryrefslogtreecommitdiffstats
path: root/net/netfilter
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2014-04-24 13:45:04 -0400
committerDavid S. Miller <davem@davemloft.net>2014-04-24 13:45:04 -0400
commit29e8f59cf1ff91f2854563faddc5f61098cf4958 (patch)
tree85d43e6c5d8b10fb79fcb9c402217f8eb54bbe12 /net/netfilter
parent98a46d46d1bc983125b6ff9a0e831050a7011713 (diff)
parent90f62cf30a78721641e08737bda787552428061e (diff)
downloadlinux-29e8f59cf1ff91f2854563faddc5f61098cf4958.tar.bz2
Merge branch 'netlink-caps'
Eric W. Biederman says: ==================== netlink: Preventing abuse when passing file descriptors. Andy Lutomirski when looking at the networking stack noticed that it is possible to trick privilged processes into calling write on a netlink socket and send netlink messages they did not intend. In particular from time to time there are suid applications that will write to stdout or stderr without checking exactly what kind of file descriptors those are and can be tricked into acting as a limited form of suid cat. In other conversations the magic string CVE-2014-0181 has been used to talk about this issue. This patchset cleans things up a bit, adds some clean abstractions that when used prevent this kind of problem and then finally changes all of the handlers of netlink messages that I could find that call capable to use netlink_ns_capable or an appropriate wrapper. The abstraction netlink_ns_capable verifies that the original creator of the netlink socket a message is sent from had the necessary capabilities as well as verifying that the current sender of a netlink packet has the necessary capabilities. The idea is to prevent file descriptor passing of any form from resulting in a file descriptor that can do more than it can for the creator of the file descriptor. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/nfnetlink.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index e8138da4c14f..84392f3237c1 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -375,7 +375,7 @@ static void nfnetlink_rcv(struct sk_buff *skb)
skb->len < nlh->nlmsg_len)
return;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+ if (!netlink_net_capable(skb, CAP_NET_ADMIN)) {
netlink_ack(skb, nlh, -EPERM);
return;
}