netfilter: xt_osf: Add missing permission checks - linux-dev - Linux kernel development work

diff options

author	Kevin Cernekee <cernekee@chromium.org>	2017-12-05 15:42:41 -0800
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-12-06 09:01:18 +0100
commit	916a27901de01446bcf57ecca4783f6cff493309 (patch)
tree	4c799eda5882355010e6fca6bfb478210b8012bb /tools/perf/scripts/python/export-to-postgresql.py
parent	netfilter: xt_bpf: add overflow checks (diff)
download	linux-dev-916a27901de01446bcf57ecca4783f6cff493309.tar.xz linux-dev-916a27901de01446bcf57ecca4783f6cff493309.zip

netfilter: xt_osf: Add missing permission checks

The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'tools/perf/scripts/python/export-to-postgresql.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: