diff options
author | Harald Welte <laforge@netfilter.org> | 2005-11-14 18:24:59 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-11-14 18:24:59 -0500 |
commit | 37d2e7a20d745035b600f1a6be56cbb9c7259419 (patch) | |
tree | c76e0ba522d34c8b3021bf0f012632f7877f5281 | |
parent | 3746a2b1402e7933c7f1eabdce384b8454dc2ef7 (diff) |
[NETFILTER] nfnetlink: unconditionally require CAP_NET_ADMIN
This patch unconditionally requires CAP_NET_ADMIN for all nfnetlink
messages. It also removes the per-message cap_required field, since all
existing subsystems use CAP_NET_ADMIN for all their messages anyway.
Patrick McHardy owes me a beer if we ever need to re-introduce this.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/linux/netfilter/nfnetlink.h | 1 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_netlink.c | 21 | ||||
-rw-r--r-- | net/netfilter/nfnetlink.c | 28 | ||||
-rw-r--r-- | net/netfilter/nfnetlink_log.c | 6 | ||||
-rw-r--r-- | net/netfilter/nfnetlink_queue.c | 9 |
5 files changed, 24 insertions, 41 deletions
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 8be2f840a557..934a2479f160 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h | |||
@@ -112,7 +112,6 @@ struct nfnl_callback | |||
112 | { | 112 | { |
113 | int (*call)(struct sock *nl, struct sk_buff *skb, | 113 | int (*call)(struct sock *nl, struct sk_buff *skb, |
114 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp); | 114 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp); |
115 | kernel_cap_t cap_required; /* capabilities required for this msg */ | ||
116 | u_int16_t attr_count; /* number of nfattr's */ | 115 | u_int16_t attr_count; /* number of nfattr's */ |
117 | }; | 116 | }; |
118 | 117 | ||
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c index f5e5e3158670..de9f4464438d 100644 --- a/net/ipv4/netfilter/ip_conntrack_netlink.c +++ b/net/ipv4/netfilter/ip_conntrack_netlink.c | |||
@@ -1543,29 +1543,22 @@ static struct notifier_block ctnl_notifier_exp = { | |||
1543 | 1543 | ||
1544 | static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { | 1544 | static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { |
1545 | [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack, | 1545 | [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack, |
1546 | .attr_count = CTA_MAX, | 1546 | .attr_count = CTA_MAX, }, |
1547 | .cap_required = CAP_NET_ADMIN }, | ||
1548 | [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack, | 1547 | [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack, |
1549 | .attr_count = CTA_MAX, | 1548 | .attr_count = CTA_MAX, }, |
1550 | .cap_required = CAP_NET_ADMIN }, | ||
1551 | [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack, | 1549 | [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack, |
1552 | .attr_count = CTA_MAX, | 1550 | .attr_count = CTA_MAX, }, |
1553 | .cap_required = CAP_NET_ADMIN }, | ||
1554 | [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack, | 1551 | [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack, |
1555 | .attr_count = CTA_MAX, | 1552 | .attr_count = CTA_MAX, }, |
1556 | .cap_required = CAP_NET_ADMIN }, | ||
1557 | }; | 1553 | }; |
1558 | 1554 | ||
1559 | static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { | 1555 | static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { |
1560 | [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect, | 1556 | [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect, |
1561 | .attr_count = CTA_EXPECT_MAX, | 1557 | .attr_count = CTA_EXPECT_MAX, }, |
1562 | .cap_required = CAP_NET_ADMIN }, | ||
1563 | [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect, | 1558 | [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect, |
1564 | .attr_count = CTA_EXPECT_MAX, | 1559 | .attr_count = CTA_EXPECT_MAX, }, |
1565 | .cap_required = CAP_NET_ADMIN }, | ||
1566 | [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect, | 1560 | [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect, |
1567 | .attr_count = CTA_EXPECT_MAX, | 1561 | .attr_count = CTA_EXPECT_MAX, }, |
1568 | .cap_required = CAP_NET_ADMIN }, | ||
1569 | }; | 1562 | }; |
1570 | 1563 | ||
1571 | static struct nfnetlink_subsystem ctnl_subsys = { | 1564 | static struct nfnetlink_subsystem ctnl_subsys = { |
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 83f4c53030fc..a60c59b97631 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c | |||
@@ -223,6 +223,12 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb, | |||
223 | NFNL_SUBSYS_ID(nlh->nlmsg_type), | 223 | NFNL_SUBSYS_ID(nlh->nlmsg_type), |
224 | NFNL_MSG_TYPE(nlh->nlmsg_type)); | 224 | NFNL_MSG_TYPE(nlh->nlmsg_type)); |
225 | 225 | ||
226 | if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) { | ||
227 | DEBUGP("missing CAP_NET_ADMIN\n"); | ||
228 | *errp = -EPERM; | ||
229 | return -1; | ||
230 | } | ||
231 | |||
226 | /* Only requests are handled by kernel now. */ | 232 | /* Only requests are handled by kernel now. */ |
227 | if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) { | 233 | if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) { |
228 | DEBUGP("received non-request message\n"); | 234 | DEBUGP("received non-request message\n"); |
@@ -240,15 +246,12 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb, | |||
240 | ss = nfnetlink_get_subsys(type); | 246 | ss = nfnetlink_get_subsys(type); |
241 | if (!ss) { | 247 | if (!ss) { |
242 | #ifdef CONFIG_KMOD | 248 | #ifdef CONFIG_KMOD |
243 | if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) { | 249 | /* don't call nfnl_shunlock, since it would reenter |
244 | /* don't call nfnl_shunlock, since it would reenter | 250 | * with further packet processing */ |
245 | * with further packet processing */ | 251 | up(&nfnl_sem); |
246 | up(&nfnl_sem); | 252 | request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type)); |
247 | request_module("nfnetlink-subsys-%d", | 253 | nfnl_shlock(); |
248 | NFNL_SUBSYS_ID(type)); | 254 | ss = nfnetlink_get_subsys(type); |
249 | nfnl_shlock(); | ||
250 | ss = nfnetlink_get_subsys(type); | ||
251 | } | ||
252 | if (!ss) | 255 | if (!ss) |
253 | #endif | 256 | #endif |
254 | goto err_inval; | 257 | goto err_inval; |
@@ -260,13 +263,6 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb, | |||
260 | goto err_inval; | 263 | goto err_inval; |
261 | } | 264 | } |
262 | 265 | ||
263 | if (nc->cap_required && | ||
264 | !cap_raised(NETLINK_CB(skb).eff_cap, nc->cap_required)) { | ||
265 | DEBUGP("permission denied for type %d\n", type); | ||
266 | *errp = -EPERM; | ||
267 | return -1; | ||
268 | } | ||
269 | |||
270 | { | 266 | { |
271 | u_int16_t attr_count = | 267 | u_int16_t attr_count = |
272 | ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count; | 268 | ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count; |
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index d194676f3655..cba63729313d 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c | |||
@@ -862,11 +862,9 @@ out_put: | |||
862 | 862 | ||
863 | static struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = { | 863 | static struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = { |
864 | [NFULNL_MSG_PACKET] = { .call = nfulnl_recv_unsupp, | 864 | [NFULNL_MSG_PACKET] = { .call = nfulnl_recv_unsupp, |
865 | .attr_count = NFULA_MAX, | 865 | .attr_count = NFULA_MAX, }, |
866 | .cap_required = CAP_NET_ADMIN, }, | ||
867 | [NFULNL_MSG_CONFIG] = { .call = nfulnl_recv_config, | 866 | [NFULNL_MSG_CONFIG] = { .call = nfulnl_recv_config, |
868 | .attr_count = NFULA_CFG_MAX, | 867 | .attr_count = NFULA_CFG_MAX, }, |
869 | .cap_required = CAP_NET_ADMIN }, | ||
870 | }; | 868 | }; |
871 | 869 | ||
872 | static struct nfnetlink_subsystem nfulnl_subsys = { | 870 | static struct nfnetlink_subsystem nfulnl_subsys = { |
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index f065a6c94953..f28460b61e47 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c | |||
@@ -931,14 +931,11 @@ out_put: | |||
931 | 931 | ||
932 | static struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = { | 932 | static struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = { |
933 | [NFQNL_MSG_PACKET] = { .call = nfqnl_recv_unsupp, | 933 | [NFQNL_MSG_PACKET] = { .call = nfqnl_recv_unsupp, |
934 | .attr_count = NFQA_MAX, | 934 | .attr_count = NFQA_MAX, }, |
935 | .cap_required = CAP_NET_ADMIN }, | ||
936 | [NFQNL_MSG_VERDICT] = { .call = nfqnl_recv_verdict, | 935 | [NFQNL_MSG_VERDICT] = { .call = nfqnl_recv_verdict, |
937 | .attr_count = NFQA_MAX, | 936 | .attr_count = NFQA_MAX, }, |
938 | .cap_required = CAP_NET_ADMIN }, | ||
939 | [NFQNL_MSG_CONFIG] = { .call = nfqnl_recv_config, | 937 | [NFQNL_MSG_CONFIG] = { .call = nfqnl_recv_config, |
940 | .attr_count = NFQA_CFG_MAX, | 938 | .attr_count = NFQA_CFG_MAX, }, |
941 | .cap_required = CAP_NET_ADMIN }, | ||
942 | }; | 939 | }; |
943 | 940 | ||
944 | static struct nfnetlink_subsystem nfqnl_subsys = { | 941 | static struct nfnetlink_subsystem nfqnl_subsys = { |