| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Aug 2010 21:37:35 +0800
From: Changli Gao <xiaosuo@...il.com>
To: luciano.coelho@...ia.com
Cc: kaber@...sh.net, netfilter-devel@...r.kernel.org,
netdev@...r.kernel.org, James Morris <jmorris@...ei.org>,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH] netfilter: xt_condition: add security capability support
On Mon, Aug 23, 2010 at 8:50 PM, <luciano.coelho@...ia.com> wrote:
> From: Luciano Coelho <luciano.coelho@...ia.com>
>
> Add a module parameter that allows the required security capability to
> change the conditions from userspace to be specified. By default the
> module will require the CAP_NET_ADMIN capability.
>
> Signed-off-by: Luciano Coelho <luciano.coelho@...ia.com>
> ---
> net/netfilter/xt_condition.c | 10 ++++++++++
> 1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/net/netfilter/xt_condition.c b/net/netfilter/xt_condition.c
> index 06205aa..fd279e5 100644
> --- a/net/netfilter/xt_condition.c
> +++ b/net/netfilter/xt_condition.c
> @@ -29,11 +29,13 @@
> #include <linux/netfilter/xt_condition.h>
> #include <net/netns/generic.h>
> #include <asm/uaccess.h>
> +#include <linux/capability.h>
>
> /* Defaults, these can be overridden on the module command-line. */
> static unsigned int condition_list_perms = S_IRUGO | S_IWUSR;
> static unsigned int condition_uid_perms = 0;
> static unsigned int condition_gid_perms = 0;
> +static unsigned int condition_capabilities = CAP_NET_ADMIN;
>
> MODULE_AUTHOR("Stephane Ouellette <ouellettes@...eotron.ca>");
> MODULE_AUTHOR("Massimiliano Hofer <max@...leus.it>");
> @@ -47,6 +49,8 @@ module_param(condition_uid_perms, uint, S_IRUSR | S_IWUSR);
> MODULE_PARM_DESC(condition_uid_perms, "default user owner of /proc/net/nf_condition/* files");
> module_param(condition_gid_perms, uint, S_IRUSR | S_IWUSR);
> MODULE_PARM_DESC(condition_gid_perms, "default group owner of /proc/net/nf_condition/* files");
> +module_param(condition_capabilities, uint, CAP_NET_ADMIN);
> +MODULE_PARM_DESC(condition_capabilities, "default capabilities required to change /proc/net/nf_condition/* files");
It is strange that we set security policy in this way. Maybe the
permission of the proc file is enough in this case.
> MODULE_ALIAS("ipt_condition");
> MODULE_ALIAS("ip6t_condition");
>
> @@ -88,6 +92,12 @@ static int condition_proc_write(struct file *file, const char __user *input,
> char buf[sizeof("+037777777777")];
> unsigned long long value;
>
> + if (!capable(condition_capabilities)) {
> + pr_debug("not enough capabilities (requires %0X)\n",
> + condition_capabilities);
> + return -EPERM;
> + }
> +
> if (length == 0)
> return 0;
>
> --
> 1.7.0.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
Regards,
Changli Gao(xiaosuo@...il.com)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists