netfilter: xt_osf: Add missing permission checks - kernel/linux.git

diff options

author	Kevin Cernekee <cernekee@chromium.org>	2017-12-06 02:42:41 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-12-06 11:01:18 +0300
commit	916a27901de01446bcf57ecca4783f6cff493309 (patch)
tree	4c799eda5882355010e6fca6bfb478210b8012bb /net/ipv4
parent	6ab405114b0b229151ef06f4e31c7834dd09d0c0 (diff)
download	linux-916a27901de01446bcf57ecca4783f6cff493309.tar.xz

netfilter: xt_osf: Add missing permission checks

The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'net/ipv4')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: