| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <53EDB8E9.8040904@huawei.com>
Date: Fri, 15 Aug 2014 15:38:17 +0800
From: wangyufen <wangyufen@...wei.com>
To: Jonathan Toppins <jtoppins@...ulusnetworks.com>
CC: <davem@...emloft.net>, <netdev@...r.kernel.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Re: [PATCH v2 7/8] net: Use netlink_ns_capable to verify the permisions
of netlink messages
On 2014/8/1 6:06, Jonathan Toppins wrote:
> On 7/25/14, 4:22 AM, Wangyufen wrote:
>> From: "Eric W. Biederman" <ebiederm@...ssion.com>
>>
>> It is possible by passing a netlink socket to a more privileged
>> executable and then to fool that executable into writing to the socket
>> data that happens to be valid netlink message to do something that
>> privileged executable did not intend to do.
>>
>> To keep this from happening replace bare capable and ns_capable calls
>> with netlink_capable, netlink_net_calls and netlink_ns_capable calls.
>> Which act the same as the previous calls except they verify that the
>> opener of the socket had the desired permissions as well.
>>
>> Reported-by: Andy Lutomirski <luto@...capital.net>
>> Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
>> Signed-off-by: David S. Miller <davem@...emloft.net>
>> Signed-off-by: Wang Yufen <wangyufen@...wei.com>
>> ---
>> crypto/crypto_user.c | 2 +-
>> drivers/connector/cn_proc.c | 2 +-
>> drivers/scsi/scsi_netlink.c | 2 +-
>> kernel/audit.c | 4 ++--
>> net/core/rtnetlink.c | 2 +-
>> net/decnet/dn_dev.c | 2 +-
>> net/decnet/netfilter/dn_rtmsg.c | 2 +-
>> net/netfilter/nfnetlink.c | 2 +-
>> net/netlink/genetlink.c | 2 +-
>> net/phonet/pn_netlink.c | 4 ++--
>> net/tipc/netlink.c | 2 +-
>> net/xfrm/xfrm_user.c | 2 +-
>> 12 files changed, 14 insertions(+), 14 deletions(-)
>>
>> diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
>> index 910497b..c86969e 100644
>> --- a/crypto/crypto_user.c
>> +++ b/crypto/crypto_user.c
>> @@ -452,7 +452,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>> type -= CRYPTO_MSG_BASE;
>> link = &crypto_dispatch[type];
>>
>> - if (!capable(CAP_NET_ADMIN))
>> + if (!netlink_capable(skb, CAP_NET_ADMIN))
>> return -EPERM;
>>
>> if ((type == (CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE) &&
>> diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
>> index 094a710..46856ae 100644
>> --- a/drivers/connector/cn_proc.c
>> +++ b/drivers/connector/cn_proc.c
>> @@ -332,7 +332,7 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
>> return;
>>
>> /* Can only change if privileged. */
>> - if (!capable(CAP_NET_ADMIN)) {
>> + if (!__netlink_ns_capable(nsp, &init_user_ns, CAP_NET_ADMIN)) {
>> err = EPERM;
>> goto out;
>> }
>> diff --git a/drivers/scsi/scsi_netlink.c b/drivers/scsi/scsi_netlink.c
>> index c77628a..a930b66 100644
>> --- a/drivers/scsi/scsi_netlink.c
>> +++ b/drivers/scsi/scsi_netlink.c
>> @@ -112,7 +112,7 @@ scsi_nl_rcv_msg(struct sk_buff *skb)
>> goto next_msg;
>> }
>>
>> - if (!capable(CAP_SYS_ADMIN)) {
>> + if (!netlink_capable(skb, CAP_SYS_ADMIN)) {
>> err = -EPERM;
>> goto next_msg;
>> }
>> diff --git a/kernel/audit.c b/kernel/audit.c
>> index b4efae8..3c3a31c 100644
>> --- a/kernel/audit.c
>> +++ b/kernel/audit.c
>> @@ -601,13 +601,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
>> case AUDIT_TTY_SET:
>> case AUDIT_TRIM:
>> case AUDIT_MAKE_EQUIV:
>> - if (!capable(CAP_AUDIT_CONTROL))
>> + if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
>> err = -EPERM;
>> break;
>> case AUDIT_USER:
>> case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
>> case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
>> - if (!capable(CAP_AUDIT_WRITE))
>> + if (!netlink_capable(skb, CAP_AUDIT_WRITE))
>> err = -EPERM;
>> break;
>> default: /* bad msg */
>> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
>> index a133427..d3ac150 100644
>> --- a/net/core/rtnetlink.c
>> +++ b/net/core/rtnetlink.c
>> @@ -2010,7 +2010,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>> sz_idx = type>>2;
>> kind = type&3;
>>
>> - if (kind != 2 && !capable(CAP_NET_ADMIN))
>> + if (kind != 2 && !netlink_net_capable(skb, CAP_NET_ADMIN))
>> return -EPERM;
>>
>> if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) {
>> diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
>> index c00e307..b79ce1e 100644
>> --- a/net/decnet/dn_dev.c
>> +++ b/net/decnet/dn_dev.c
>> @@ -440,7 +440,7 @@ int dn_dev_ioctl(unsigned int cmd, void __user *arg)
>> case SIOCGIFADDR:
>> break;
>> case SIOCSIFADDR:
>> - if (!capable(CAP_NET_ADMIN))
>> + if (!netlink_capable(skb, CAP_NET_ADMIN))
>
> Hello,
>
> I am working on the 3.2 backport based off of these patches and am
> getting a compile error here. It appears even the 3.4 series doesn't
> compile, snippet of compile log for 3.4 series below:
>
> net/decnet/dn_dev.c: In function ‘dn_dev_ioctl’:
> net/decnet/dn_dev.c:443:24: error: ‘skb’ undeclared (first use in this
> function)
> net/decnet/dn_dev.c:443:24: note: each undeclared identifier is reported
> only once for each function it appears in
> make[2]: *** [net/decnet/dn_dev.o] Error 1
> make[1]: *** [net/decnet] Error 2
>
> jtoppins@...ian-devel:~/linux/linux-stable$ git log --oneline -10
> a926d22 netlink: Only check file credentials for implicit destinations
> 070d4a0 net: Use netlink_ns_capable to verify the permisions of netlink
> messages
> 31393c4 net: Add variants of capable for use on netlink messages
> 45a1d1f net: Add variants of capable for use on on sockets
> 9f2effc netlink: Rename netlink_capable netlink_allowed
> f4d5163 Add file_ns_capable() helper function for open-time capability
> checking
> 3e8d4ac userns: make each net (net_ns) belong to a user_ns
> 9087c45 netlink: Make the sending netlink socket availabe in NETLINK_CB
> 82f9c4a Linux 3.4.100
> 21870a3 iommu/vt-d: Disable translation if already enabled
>
> Am I missing something?
>
> Thanks,
> -Jon
>
>
sorry for that, I made a big mistake.
I used the wrong .config file and net/decnet/dn_dev.c did't compiled in.
I checked the patch, there is no need to change net/decnet/dn_dev.c, it's ioctl not netlink.
>> return -EACCES;
>> if (sdn->sdn_family != AF_DECnet)
>> return -EINVAL;
>> diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
>> index 1531135..dc750e2 100644
>> --- a/net/decnet/netfilter/dn_rtmsg.c
>> +++ b/net/decnet/netfilter/dn_rtmsg.c
>> @@ -108,7 +108,7 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb)
>> if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
>> return;
>>
>> - if (!capable(CAP_NET_ADMIN))
>> + if (!netlink_capable(skb, CAP_NET_ADMIN))
>> RCV_SKB_FAIL(-EPERM);
>>
>> /* Eventually we might send routing messages too */
>> diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
>> index e6ddde1..5cfc865 100644
>> --- a/net/netfilter/nfnetlink.c
>> +++ b/net/netfilter/nfnetlink.c
>> @@ -129,7 +129,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>> const struct nfnetlink_subsystem *ss;
>> int type, err;
>>
>> - if (!capable(CAP_NET_ADMIN))
>> + if (!netlink_net_capable(skb, CAP_NET_ADMIN))
>> return -EPERM;
>>
>> /* All the messages must at least contain nfgenmsg */
>> diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
>> index 73d3f0c..dff8562 100644
>> --- a/net/netlink/genetlink.c
>> +++ b/net/netlink/genetlink.c
>> @@ -556,7 +556,7 @@ static int genl_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>> return -EOPNOTSUPP;
>>
>> if ((ops->flags & GENL_ADMIN_PERM) &&
>> - !capable(CAP_NET_ADMIN))
>> + !netlink_capable(skb, CAP_NET_ADMIN))
>> return -EPERM;
>>
>> if (nlh->nlmsg_flags & NLM_F_DUMP) {
>> diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c
>> index d61f676..18485cd 100644
>> --- a/net/phonet/pn_netlink.c
>> +++ b/net/phonet/pn_netlink.c
>> @@ -70,7 +70,7 @@ static int addr_doit(struct sk_buff *skb, struct nlmsghdr *nlh, void *attr)
>> int err;
>> u8 pnaddr;
>>
>> - if (!capable(CAP_SYS_ADMIN))
>> + if (!netlink_capable(skb, CAP_SYS_ADMIN))
>> return -EPERM;
>>
>> ASSERT_RTNL();
>> @@ -228,7 +228,7 @@ static int route_doit(struct sk_buff *skb, struct nlmsghdr *nlh, void *attr)
>> int err;
>> u8 dst;
>>
>> - if (!capable(CAP_SYS_ADMIN))
>> + if (!netlink_capable(skb, CAP_SYS_ADMIN))
>> return -EPERM;
>>
>> ASSERT_RTNL();
>> diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
>> index 7bda8e3..0b4cf4f 100644
>> --- a/net/tipc/netlink.c
>> +++ b/net/tipc/netlink.c
>> @@ -47,7 +47,7 @@ static int handle_cmd(struct sk_buff *skb, struct genl_info *info)
>> int hdr_space = NLMSG_SPACE(GENL_HDRLEN + TIPC_GENL_HDRLEN);
>> u16 cmd;
>>
>> - if ((req_userhdr->cmd & 0xC000) && (!capable(CAP_NET_ADMIN)))
>> + if ((req_userhdr->cmd & 0xC000) && (!netlink_capable(skb, CAP_NET_ADMIN)))
>> cmd = TIPC_CMD_NOT_NET_ADMIN;
>> else
>> cmd = req_userhdr->cmd;
>> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
>> index c8b903d..ce16eba 100644
>> --- a/net/xfrm/xfrm_user.c
>> +++ b/net/xfrm/xfrm_user.c
>> @@ -2317,7 +2317,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>> link = &xfrm_dispatch[type];
>>
>> /* All operations require privileges, even GET */
>> - if (!capable(CAP_NET_ADMIN))
>> + if (!netlink_net_capable(skb, CAP_NET_ADMIN))
>> return -EPERM;
>>
>> if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||
>>
>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists