diff options
author | Florian Westphal <fwestphal@astaro.com> | 2010-01-08 11:31:24 -0500 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2010-01-08 11:31:24 -0500 |
commit | dce766af541f6605fa9889892c0280bab31c66ab (patch) | |
tree | fd9a11a09bf038336429f33dc092333aa745edb1 | |
parent | aaff23a95aea5f000895f50d90e91f1e2f727002 (diff) |
netfilter: ebtables: enforce CAP_NET_ADMIN
normal users are currently allowed to set/modify ebtables rules.
Restrict it to processes with CAP_NET_ADMIN.
Note that this cannot be reproduced with unmodified ebtables binary
because it uses SOCK_RAW.
Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r-- | net/bridge/netfilter/ebtables.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index bd1c65425d4f..0b7f262cd148 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c | |||
@@ -1406,6 +1406,9 @@ static int do_ebt_set_ctl(struct sock *sk, | |||
1406 | { | 1406 | { |
1407 | int ret; | 1407 | int ret; |
1408 | 1408 | ||
1409 | if (!capable(CAP_NET_ADMIN)) | ||
1410 | return -EPERM; | ||
1411 | |||
1409 | switch(cmd) { | 1412 | switch(cmd) { |
1410 | case EBT_SO_SET_ENTRIES: | 1413 | case EBT_SO_SET_ENTRIES: |
1411 | ret = do_replace(sock_net(sk), user, len); | 1414 | ret = do_replace(sock_net(sk), user, len); |
@@ -1425,6 +1428,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |||
1425 | struct ebt_replace tmp; | 1428 | struct ebt_replace tmp; |
1426 | struct ebt_table *t; | 1429 | struct ebt_table *t; |
1427 | 1430 | ||
1431 | if (!capable(CAP_NET_ADMIN)) | ||
1432 | return -EPERM; | ||
1433 | |||
1428 | if (copy_from_user(&tmp, user, sizeof(tmp))) | 1434 | if (copy_from_user(&tmp, user, sizeof(tmp))) |
1429 | return -EFAULT; | 1435 | return -EFAULT; |
1430 | 1436 | ||