From patchwork Fri Aug 17 17:22:29 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 178285 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 8118C2C00A3 for ; Sat, 18 Aug 2012 03:23:49 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758582Ab2HQRXo (ORCPT ); Fri, 17 Aug 2012 13:23:44 -0400 Received: from mail.us.es ([193.147.175.20]:60266 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757730Ab2HQRXj (ORCPT ); Fri, 17 Aug 2012 13:23:39 -0400 Received: (qmail 27387 invoked from network); 17 Aug 2012 19:23:37 +0200 Received: from unknown (HELO us.es) (192.168.2.11) by us.es with SMTP; 17 Aug 2012 19:23:37 +0200 Received: (qmail 2356 invoked by uid 507); 17 Aug 2012 17:23:36 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on antivirus1 X-Spam-Level: X-Spam-Status: No, score=-96.4 required=7.5 tests=BAYES_50, RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_RP_RNBL,RCVD_IN_SORBS_DUL, RDNS_DYNAMIC,USER_IN_WHITELIST autolearn=disabled version=3.3.1 Received: from 127.0.0.1 by antivirus1 (envelope-from , uid 501) with qmail-scanner-2.08 (clamdscan: 0.97.5/15262. Clear:RC:1(127.0.0.1):. Processed in 0.02557 secs); 17 Aug 2012 17:23:36 -0000 Received: from unknown (HELO antivirus1) (127.0.0.1) by us.es with SMTP; 17 Aug 2012 17:23:36 -0000 Received: from 192.168.1.13 (192.168.1.13) by antivirus1 (F-Secure/fsigk_smtp/407/antivirus1); Fri, 17 Aug 2012 19:23:36 +0200 (CEST) X-Virus-Status: clean(F-Secure/fsigk_smtp/407/antivirus1) Received: (qmail 23457 invoked from network); 17 Aug 2012 19:23:36 +0200 Received: from 98.65.221.87.dynamic.jazztel.es (HELO localhost.localdomain) (pneira@us.es@87.221.65.98) by us.es with SMTP; 17 Aug 2012 19:23:36 +0200 From: pablo@netfilter.org To: netdev@vger.kernel.org Cc: davem@davemloft.net Subject: [PATCH 2/2] [RFC] netlink: fix possible spoofing from non-root processes Date: Fri, 17 Aug 2012 19:22:29 +0200 Message-Id: <1345224149-5946-3-git-send-email-pablo@netfilter.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1345224149-5946-1-git-send-email-pablo@netfilter.org> References: <1345224149-5946-1-git-send-email-pablo@netfilter.org> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Pablo Neira Ayuso Non-root user-space processes can send netlink messages to other processes that are well-known for being subscribed to Netlink asynchronous notifications. This allows ilegitimate non-root process to send forged messages to them. This is usually fixed by checking for Netlink portID in the message receival path of the user-space process. In general, portID == 0 means that the origin of the messages comes from the kernel. Thus, discarding any message not coming from the kernel. This is true for rtnetlink. However, ctnetlink sets the portID in event messages that has been triggered by some user-space process, eg. conntrack utility. So other processes subscribed to ctnetlink events, eg. conntrackd, know that the event was triggered by some user-space action. This patch adds capability validation in case that dst_pid is set in netlink_sendmsg(). This approach is aggressive since any existing application using any of the Netlink busses to deliver messages between two user-space processes will break. [ I don't know any FOSS program making use of Netlink to communicate to processes, please, let me know if I'm missing anyone important ] Anyway, if we want to ensure full backward compatibility, a new version of this patch including NL_CFG_F_NONROOT_SEND flags need to be set in all kernel subsystems. However, I don't think it makes sense to use NETLINK_ROUTE to communicate two processes that are sending no matter what information that is not related to link/neighbouring/routing? Still, if someone wants to make use of Netlink for this, eg. I remember people willing to implement D-BUS over Netlink, then we can reserve some Netlink bus explicitly for this and set NL_CFG_F_NONROOT_SEND to it. Not related to this, but I noticed that some existing well-known user-space programs set SO_PASSCRED to obtain credentials while trying to solve this. But they do it wrong, since they misinterpret credentials containing pid == 0 as "yes, this message is really coming from the kernel". So those programs will be also happy that if this patch gets in, since it will fix spoofing for them. Reported-by: Florian Weimer Signed-off-by: Pablo Neira Ayuso --- net/netlink/af_netlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index d04f923..758993f 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1373,7 +1373,8 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, dst_pid = addr->nl_pid; dst_group = ffs(addr->nl_groups); err = -EPERM; - if (dst_group && !netlink_capable(sock, NL_CFG_F_NONROOT_SEND)) + if ((dst_group || dst_pid) && + !netlink_capable(sock, NL_CFG_F_NONROOT_SEND)) goto out; } else { dst_pid = nlk->dst_pid;