Linux 2.6.31.12

[thirdparty/kernel/stable-queue.git] / releases / 2.6.31.12 / netfilter-ebtables-enforce-cap_net_admin.patch

diff --git a/releases/2.6.31.12/netfilter-ebtables-enforce-cap_net_admin.patch b/releases/2.6.31.12/netfilter-ebtables-enforce-cap_net_admin.patch
new file mode 100644 (file)
index 0000000..bc3ba1f
--- /dev/null
+++ b/releases/2.6.31.12/netfilter-ebtables-enforce-cap_net_admin.patch
@@ -0,0 +1,45 @@
+From dce766af541f6605fa9889892c0280bab31c66ab Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fwestphal@astaro.com>
+Date: Fri, 8 Jan 2010 17:31:24 +0100
+Subject: netfilter: ebtables: enforce CAP_NET_ADMIN
+
+From: Florian Westphal <fwestphal@astaro.com>
+
+commit dce766af541f6605fa9889892c0280bab31c66ab upstream.
+
+normal users are currently allowed to set/modify ebtables rules.
+Restrict it to processes with CAP_NET_ADMIN.
+
+Note that this cannot be reproduced with unmodified ebtables binary
+because it uses SOCK_RAW.
+
+Signed-off-by: Florian Westphal <fwestphal@astaro.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/netfilter/ebtables.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1405,6 +1405,9 @@ static int do_ebt_set_ctl(struct sock *s
+ {
+       int ret;
+ 
++      if (!capable(CAP_NET_ADMIN))
++              return -EPERM;
++
+       switch(cmd) {
+       case EBT_SO_SET_ENTRIES:
+               ret = do_replace(sock_net(sk), user, len);
+@@ -1424,6 +1427,9 @@ static int do_ebt_get_ctl(struct sock *s
+       struct ebt_replace tmp;
+       struct ebt_table *t;
+ 
++      if (!capable(CAP_NET_ADMIN))
++              return -EPERM;
++
+       if (copy_from_user(&tmp, user, sizeof(tmp)))
+               return -EFAULT;
+