[thirdparty/kernel/stable-queue.git] / releases / 2.6.31.12 / netfilter-ebtables-enforce-cap_net_admin.patch

From dce766af541f6605fa9889892c0280bab31c66ab Mon Sep 17 00:00:00 2001
From: Florian Westphal <fwestphal@astaro.com>
Date: Fri, 8 Jan 2010 17:31:24 +0100
Subject: netfilter: ebtables: enforce CAP_NET_ADMIN

From: Florian Westphal <fwestphal@astaro.com>

commit dce766af541f6605fa9889892c0280bab31c66ab upstream.

normal users are currently allowed to set/modify ebtables rules.
Restrict it to processes with CAP_NET_ADMIN.

Note that this cannot be reproduced with unmodified ebtables binary
because it uses SOCK_RAW.

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/bridge/netfilter/ebtables.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1405,6 +1405,9 @@ static int do_ebt_set_ctl(struct sock *s
 {
 	int ret;
 
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
 	switch(cmd) {
 	case EBT_SO_SET_ENTRIES:
 		ret = do_replace(sock_net(sk), user, len);
@@ -1424,6 +1427,9 @@ static int do_ebt_get_ctl(struct sock *s
 	struct ebt_replace tmp;
 	struct ebt_table *t;
 
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
 	if (copy_from_user(&tmp, user, sizeof(tmp)))
 		return -EFAULT;
Commit	Line	Data
a5dc67e6 GKH	1	From dce766af541f6605fa9889892c0280bab31c66ab Mon Sep 17 00:00:00 2001
	2	From: Florian Westphal <fwestphal@astaro.com>
	3	Date: Fri, 8 Jan 2010 17:31:24 +0100
	4	Subject: netfilter: ebtables: enforce CAP_NET_ADMIN
	5
	6	From: Florian Westphal <fwestphal@astaro.com>
	7
	8	commit dce766af541f6605fa9889892c0280bab31c66ab upstream.
	9
	10	normal users are currently allowed to set/modify ebtables rules.
	11	Restrict it to processes with CAP_NET_ADMIN.
	12
	13	Note that this cannot be reproduced with unmodified ebtables binary
	14	because it uses SOCK_RAW.
	15
	16	Signed-off-by: Florian Westphal <fwestphal@astaro.com>
	17	Signed-off-by: Patrick McHardy <kaber@trash.net>
	18	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	19
	20	---
	21	net/bridge/netfilter/ebtables.c \| 6 ++++++
	22	1 file changed, 6 insertions(+)
	23
	24	--- a/net/bridge/netfilter/ebtables.c
	25	+++ b/net/bridge/netfilter/ebtables.c
	26	@@ -1405,6 +1405,9 @@ static int do_ebt_set_ctl(struct sock *s
	27	{
	28	int ret;
	29
	30	+ if (!capable(CAP_NET_ADMIN))
	31	+ return -EPERM;
	32	+
	33	switch(cmd) {
	34	case EBT_SO_SET_ENTRIES:
	35	ret = do_replace(sock_net(sk), user, len);
	36	@@ -1424,6 +1427,9 @@ static int do_ebt_get_ctl(struct sock *s
	37	struct ebt_replace tmp;
	38	struct ebt_table *t;
	39
	40	+ if (!capable(CAP_NET_ADMIN))
	41	+ return -EPERM;
	42	+
	43	if (copy_from_user(&tmp, user, sizeof(tmp)))
	44	return -EFAULT;
	45