aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@netfilter.org>2005-11-09 16:02:16 -0500
committerDavid S. Miller <davem@davemloft.net>2005-11-09 16:02:16 -0500
commited77de9fc69076e6e7c85edf7c1b70650f53121a (patch)
treeeb75bc1a632003f97d50920023e7802f5e2ae169
parent5978a9b82c55b82a1087bd86e0ae8b00f94d0d0b (diff)
[NETFILTER] nfnetlink: only load subsystems if CAP_NET_ADMIN is set
Without this patch, any user can cause nfnetlink subsystems to be autoloaded. Those subsystems however could add significant processing overhead to packet processing, and would refuse any configuration messages from non-CAP_NET_ADMIN processes anyway. This patch follows a suggestion from Patrick McHardy. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/netfilter/nfnetlink.c17
1 files changed, 10 insertions, 7 deletions
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index f8bd7c7e7921..83f4c53030fc 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -240,15 +240,18 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
240 ss = nfnetlink_get_subsys(type); 240 ss = nfnetlink_get_subsys(type);
241 if (!ss) { 241 if (!ss) {
242#ifdef CONFIG_KMOD 242#ifdef CONFIG_KMOD
243 /* don't call nfnl_shunlock, since it would reenter 243 if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
244 * with further packet processing */ 244 /* don't call nfnl_shunlock, since it would reenter
245 up(&nfnl_sem); 245 * with further packet processing */
246 request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type)); 246 up(&nfnl_sem);
247 nfnl_shlock(); 247 request_module("nfnetlink-subsys-%d",
248 ss = nfnetlink_get_subsys(type); 248 NFNL_SUBSYS_ID(type));
249 nfnl_shlock();
250 ss = nfnetlink_get_subsys(type);
251 }
249 if (!ss) 252 if (!ss)
250#endif 253#endif
251 goto err_inval; 254 goto err_inval;
252 } 255 }
253 256
254 nc = nfnetlink_find_client(type, ss); 257 nc = nfnetlink_find_client(type, ss);