]>
Commit | Line | Data |
---|---|---|
a5dc67e6 GKH |
1 | From dce766af541f6605fa9889892c0280bab31c66ab Mon Sep 17 00:00:00 2001 |
2 | From: Florian Westphal <fwestphal@astaro.com> | |
3 | Date: Fri, 8 Jan 2010 17:31:24 +0100 | |
4 | Subject: netfilter: ebtables: enforce CAP_NET_ADMIN | |
5 | ||
6 | From: Florian Westphal <fwestphal@astaro.com> | |
7 | ||
8 | commit dce766af541f6605fa9889892c0280bab31c66ab upstream. | |
9 | ||
10 | normal users are currently allowed to set/modify ebtables rules. | |
11 | Restrict it to processes with CAP_NET_ADMIN. | |
12 | ||
13 | Note that this cannot be reproduced with unmodified ebtables binary | |
14 | because it uses SOCK_RAW. | |
15 | ||
16 | Signed-off-by: Florian Westphal <fwestphal@astaro.com> | |
17 | Signed-off-by: Patrick McHardy <kaber@trash.net> | |
18 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
19 | ||
20 | --- | |
21 | net/bridge/netfilter/ebtables.c | 6 ++++++ | |
22 | 1 file changed, 6 insertions(+) | |
23 | ||
24 | --- a/net/bridge/netfilter/ebtables.c | |
25 | +++ b/net/bridge/netfilter/ebtables.c | |
26 | @@ -1405,6 +1405,9 @@ static int do_ebt_set_ctl(struct sock *s | |
27 | { | |
28 | int ret; | |
29 | ||
30 | + if (!capable(CAP_NET_ADMIN)) | |
31 | + return -EPERM; | |
32 | + | |
33 | switch(cmd) { | |
34 | case EBT_SO_SET_ENTRIES: | |
35 | ret = do_replace(sock_net(sk), user, len); | |
36 | @@ -1424,6 +1427,9 @@ static int do_ebt_get_ctl(struct sock *s | |
37 | struct ebt_replace tmp; | |
38 | struct ebt_table *t; | |
39 | ||
40 | + if (!capable(CAP_NET_ADMIN)) | |
41 | + return -EPERM; | |
42 | + | |
43 | if (copy_from_user(&tmp, user, sizeof(tmp))) | |
44 | return -EFAULT; | |
45 |