netfilter: xt_osf: Add missing permission checks - blaster4385/linux-IllusionX - Linux kernel with personal config changes for arch linux

diff options

author	Kevin Cernekee <cernekee@chromium.org>	2017-12-05 15:42:41 -0800
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-12-06 09:01:18 +0100
commit	916a27901de01446bcf57ecca4783f6cff493309 (patch)
tree	4c799eda5882355010e6fca6bfb478210b8012bb /tools/perf/scripts/python/syscall-counts-by-pid.py
parent	6ab405114b0b229151ef06f4e31c7834dd09d0c0 (diff)

netfilter: xt_osf: Add missing permission checks

The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'tools/perf/scripts/python/syscall-counts-by-pid.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: