net: Use netlink_ns_capable to verify the permisions of netlink messages

It is possible by passing a netlink socket to a more privileged executable and then to fool that executable into writing to the socket data that happens to be valid netlink message to do something that privileged executable did not intend to do. To keep this from happening replace bare capable and ns_capable calls with netlink_capable, netlink_net_calls and netlink_ns_capable calls. Which act the same as the previous calls except they verify that the opener of the socket had the desired permissions as well. Reported-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric W. Biederman <ebiederm@xmission.com> 2014-04-23 17:29:27 -0400
committer: David S. Miller <davem@davemloft.net> 2014-04-24 13:44:54 -0400
commit: 90f62cf30a78721641e08737bda787552428061e (patch)
tree: 85d43e6c5d8b10fb79fcb9c402217f8eb54bbe12 /net/sched
parent: aa4cf9452f469f16cea8c96283b641b4576d4a7b (diff)
3 files changed, 5 insertions, 5 deletions
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 8a5ba5add4bc..648778aef1a2 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -948,7 +948,7 @@ static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n)
        u32 portid = skb ? NETLINK_CB(skb).portid : 0;
        int ret = 0, ovr = 0;
-        if ((n->nlmsg_type != RTM_GETACTION) && !capable(CAP_NET_ADMIN))
+        if ((n->nlmsg_type != RTM_GETACTION) && !netlink_capable(skb, CAP_NET_ADMIN))
                return -EPERM;
        ret = nlmsg_parse(n, sizeof(struct tcamsg), tca, TCA_ACT_MAX, NULL);
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 29a30a14c315..bdbdb1a7920a 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -134,7 +134,7 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n)
        int err;
        int tp_created = 0;
-        if ((n->nlmsg_type != RTM_GETTFILTER) && !capable(CAP_NET_ADMIN))
+        if ((n->nlmsg_type != RTM_GETTFILTER) && !netlink_capable(skb, CAP_NET_ADMIN))
                return -EPERM;
 replay:
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index a0b84e0e22de..400769014bbd 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -1084,7 +1084,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n)
        struct Qdisc *p = NULL;
        int err;
-        if ((n->nlmsg_type != RTM_GETQDISC) && !capable(CAP_NET_ADMIN))
+        if ((n->nlmsg_type != RTM_GETQDISC) && !netlink_capable(skb, CAP_NET_ADMIN))
                return -EPERM;
        err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
@@ -1151,7 +1151,7 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n)
        struct Qdisc *q, *p;
        int err;
-        if (!capable(CAP_NET_ADMIN))
+        if (!netlink_capable(skb, CAP_NET_ADMIN))
                return -EPERM;
 replay:
@@ -1490,7 +1490,7 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n)
        u32 qid;
        int err;
-        if ((n->nlmsg_type != RTM_GETTCLASS) && !capable(CAP_NET_ADMIN))
+        if ((n->nlmsg_type != RTM_GETTCLASS) && !netlink_capable(skb, CAP_NET_ADMIN))
                return -EPERM;
        err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
author	Eric W. Biederman <ebiederm@xmission.com>	2014-04-23 17:29:27 -0400
committer	David S. Miller <davem@davemloft.net>	2014-04-24 13:44:54 -0400
commit	90f62cf30a78721641e08737bda787552428061e (patch)
tree	85d43e6c5d8b10fb79fcb9c402217f8eb54bbe12 /net/sched
parent	aa4cf9452f469f16cea8c96283b641b4576d4a7b (diff)

diff --git a/net/sched/act_api.c b/net/sched/act_api.c index 8a5ba5add4bc..648778aef1a2 100644 --- a/net/sched/act_api.c +++ b/net/sched/act_api.c
@@ -948,7 +948,7 @@ static int tc_ctl_action(struct sk_buff skb, struct nlmsghdr n)
948	u32 portid = skb ? NETLINK_CB(skb).portid : 0;	948	u32 portid = skb ? NETLINK_CB(skb).portid : 0;
949	int ret = 0, ovr = 0;	949	int ret = 0, ovr = 0;
950		950
951	if ((n->nlmsg_type != RTM_GETACTION) && !capable(CAP_NET_ADMIN))	951	if ((n->nlmsg_type != RTM_GETACTION) && !netlink_capable(skb, CAP_NET_ADMIN))
952	return -EPERM;	952	return -EPERM;
953		953
954	ret = nlmsg_parse(n, sizeof(struct tcamsg), tca, TCA_ACT_MAX, NULL);	954	ret = nlmsg_parse(n, sizeof(struct tcamsg), tca, TCA_ACT_MAX, NULL);


diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index 29a30a14c315..bdbdb1a7920a 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c
@@ -134,7 +134,7 @@ static int tc_ctl_tfilter(struct sk_buff skb, struct nlmsghdr n)
134	int err;	134	int err;
135	int tp_created = 0;	135	int tp_created = 0;
136		136
137	if ((n->nlmsg_type != RTM_GETTFILTER) && !capable(CAP_NET_ADMIN))	137	if ((n->nlmsg_type != RTM_GETTFILTER) && !netlink_capable(skb, CAP_NET_ADMIN))
138	return -EPERM;	138	return -EPERM;
139		139
140	replay:	140	replay:


diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index a0b84e0e22de..400769014bbd 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c
@@ -1084,7 +1084,7 @@ static int tc_get_qdisc(struct sk_buff skb, struct nlmsghdr n)
1084	struct Qdisc *p = NULL;	1084	struct Qdisc *p = NULL;
1085	int err;	1085	int err;
1086		1086
1087	if ((n->nlmsg_type != RTM_GETQDISC) && !capable(CAP_NET_ADMIN))	1087	if ((n->nlmsg_type != RTM_GETQDISC) && !netlink_capable(skb, CAP_NET_ADMIN))
1088	return -EPERM;	1088	return -EPERM;
1089		1089
1090	err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);	1090	err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
@@ -1151,7 +1151,7 @@ static int tc_modify_qdisc(struct sk_buff skb, struct nlmsghdr n)
1151	struct Qdisc q, p;	1151	struct Qdisc q, p;
1152	int err;	1152	int err;
1153		1153
1154	if (!capable(CAP_NET_ADMIN))	1154	if (!netlink_capable(skb, CAP_NET_ADMIN))
1155	return -EPERM;	1155	return -EPERM;
1156		1156
1157	replay:	1157	replay:
@@ -1490,7 +1490,7 @@ static int tc_ctl_tclass(struct sk_buff skb, struct nlmsghdr n)
1490	u32 qid;	1490	u32 qid;
1491	int err;	1491	int err;
1492		1492
1493	if ((n->nlmsg_type != RTM_GETTCLASS) && !capable(CAP_NET_ADMIN))	1493	if ((n->nlmsg_type != RTM_GETTCLASS) && !netlink_capable(skb, CAP_NET_ADMIN))
1494	return -EPERM;	1494	return -EPERM;
1495		1495
1496	err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);	1496	err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);