aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Westphal <fwestphal@astaro.com>2010-01-08 11:31:24 -0500
committerPatrick McHardy <kaber@trash.net>2010-01-08 11:31:24 -0500
commitdce766af541f6605fa9889892c0280bab31c66ab (patch)
treefd9a11a09bf038336429f33dc092333aa745edb1
parentaaff23a95aea5f000895f50d90e91f1e2f727002 (diff)
netfilter: ebtables: enforce CAP_NET_ADMIN
normal users are currently allowed to set/modify ebtables rules. Restrict it to processes with CAP_NET_ADMIN. Note that this cannot be reproduced with unmodified ebtables binary because it uses SOCK_RAW. Signed-off-by: Florian Westphal <fwestphal@astaro.com> Cc: stable@kernel.org Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r--net/bridge/netfilter/ebtables.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index bd1c65425d4f..0b7f262cd148 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1406,6 +1406,9 @@ static int do_ebt_set_ctl(struct sock *sk,
1406{ 1406{
1407 int ret; 1407 int ret;
1408 1408
1409 if (!capable(CAP_NET_ADMIN))
1410 return -EPERM;
1411
1409 switch(cmd) { 1412 switch(cmd) {
1410 case EBT_SO_SET_ENTRIES: 1413 case EBT_SO_SET_ENTRIES:
1411 ret = do_replace(sock_net(sk), user, len); 1414 ret = do_replace(sock_net(sk), user, len);
@@ -1425,6 +1428,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1425 struct ebt_replace tmp; 1428 struct ebt_replace tmp;
1426 struct ebt_table *t; 1429 struct ebt_table *t;
1427 1430
1431 if (!capable(CAP_NET_ADMIN))
1432 return -EPERM;
1433
1428 if (copy_from_user(&tmp, user, sizeof(tmp))) 1434 if (copy_from_user(&tmp, user, sizeof(tmp)))
1429 return -EFAULT; 1435 return -EFAULT;
1430 1436