Message ID | 1262715967-25274-1-git-send-email-fw@strlen.de |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
Florian Westphal wrote: > normal users are currently allowed to set/modify ebtables rules. > Restrict it to processes with CAP_NET_ADMIN. > > Signed-off-by: Florian Westphal <fwestphal@astaro.com> > --- > Note that this cannot be reproduced with > unmodified ebtables binary because it uses SOCK_RAW. Unbelievable that this went unnoticed for so long. Applied and queued for -stable, thanks a lot Florian. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index bd1c654..0b7f262 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1406,6 +1406,9 @@ static int do_ebt_set_ctl(struct sock *sk, { int ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + switch(cmd) { case EBT_SO_SET_ENTRIES: ret = do_replace(sock_net(sk), user, len); @@ -1425,6 +1428,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) struct ebt_replace tmp; struct ebt_table *t; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (copy_from_user(&tmp, user, sizeof(tmp))) return -EFAULT;
normal users are currently allowed to set/modify ebtables rules. Restrict it to processes with CAP_NET_ADMIN. Signed-off-by: Florian Westphal <fwestphal@astaro.com> --- Note that this cannot be reproduced with unmodified ebtables binary because it uses SOCK_RAW.