Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 37d2e7a20d745035b600f1a6be56cbb9c7259419

Authored by Harald Welte
Committed by David S. Miller
1 parent 3746a2b140
Exists in master and in 7 other branches imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-l5.0.0_1.0.0-ga

[NETFILTER] nfnetlink: unconditionally require CAP_NET_ADMIN 

This patch unconditionally requires CAP_NET_ADMIN for all nfnetlink
messages.  It also removes the per-message cap_required field, since all
existing subsystems use CAP_NET_ADMIN for all their messages anyway.

Patrick McHardy owes me a beer if we ever need to re-introduce this.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 5 changed files with 24 additions and 41 deletions Side-by-side Diff

include/linux/netfilter/nfnetlink.h
Diff comments   View file @ 37d2e7a
... ... @@ -112,7 +112,6 @@
112 112 {
113 113 int (*call)(struct sock *nl, struct sk_buff *skb,
114 114 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp);
115   - kernel_cap_t cap_required; /* capabilities required for this msg */
116 115 u_int16_t attr_count; /* number of nfattr's */
117 116 };
118 117  
net/ipv4/netfilter/ip_conntrack_netlink.c
Diff comments   View file @ 37d2e7a
... ... @@ -1543,29 +1543,22 @@
1543 1543  
1544 1544 static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
1545 1545 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
1546   - .attr_count = CTA_MAX,
1547   - .cap_required = CAP_NET_ADMIN },
  1546 + .attr_count = CTA_MAX, },
1548 1547 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
1549   - .attr_count = CTA_MAX,
1550   - .cap_required = CAP_NET_ADMIN },
  1548 + .attr_count = CTA_MAX, },
1551 1549 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
1552   - .attr_count = CTA_MAX,
1553   - .cap_required = CAP_NET_ADMIN },
  1550 + .attr_count = CTA_MAX, },
1554 1551 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
1555   - .attr_count = CTA_MAX,
1556   - .cap_required = CAP_NET_ADMIN },
  1552 + .attr_count = CTA_MAX, },
1557 1553 };
1558 1554  
1559 1555 static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
1560 1556 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
1561   - .attr_count = CTA_EXPECT_MAX,
1562   - .cap_required = CAP_NET_ADMIN },
  1557 + .attr_count = CTA_EXPECT_MAX, },
1563 1558 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
1564   - .attr_count = CTA_EXPECT_MAX,
1565   - .cap_required = CAP_NET_ADMIN },
  1559 + .attr_count = CTA_EXPECT_MAX, },
1566 1560 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
1567   - .attr_count = CTA_EXPECT_MAX,
1568   - .cap_required = CAP_NET_ADMIN },
  1561 + .attr_count = CTA_EXPECT_MAX, },
1569 1562 };
1570 1563  
1571 1564 static struct nfnetlink_subsystem ctnl_subsys = {
net/netfilter/nfnetlink.c
Diff comments   View file @ 37d2e7a
... ... @@ -223,6 +223,12 @@
223 223 NFNL_SUBSYS_ID(nlh->nlmsg_type),
224 224 NFNL_MSG_TYPE(nlh->nlmsg_type));
225 225  
  226 + if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
  227 + DEBUGP("missing CAP_NET_ADMIN\n");
  228 + *errp = -EPERM;
  229 + return -1;
  230 + }
  231 +
226 232 /* Only requests are handled by kernel now. */
227 233 if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) {
228 234 DEBUGP("received non-request message\n");
... ... @@ -240,15 +246,12 @@
240 246 ss = nfnetlink_get_subsys(type);
241 247 if (!ss) {
242 248 #ifdef CONFIG_KMOD
243   - if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
244   - /* don't call nfnl_shunlock, since it would reenter
245   - * with further packet processing */
246   - up(&nfnl_sem);
247   - request_module("nfnetlink-subsys-%d",
248   - NFNL_SUBSYS_ID(type));
249   - nfnl_shlock();
250   - ss = nfnetlink_get_subsys(type);
251   - }
  249 + /* don't call nfnl_shunlock, since it would reenter
  250 + * with further packet processing */
  251 + up(&nfnl_sem);
  252 + request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));
  253 + nfnl_shlock();
  254 + ss = nfnetlink_get_subsys(type);
252 255 if (!ss)
253 256 #endif
254 257 goto err_inval;
... ... @@ -258,13 +261,6 @@
258 261 if (!nc) {
259 262 DEBUGP("unable to find client for type %d\n", type);
260 263 goto err_inval;
261   - }
262   -
263   - if (nc->cap_required &&
264   - !cap_raised(NETLINK_CB(skb).eff_cap, nc->cap_required)) {
265   - DEBUGP("permission denied for type %d\n", type);
266   - *errp = -EPERM;
267   - return -1;
268 264 }
269 265  
270 266 {
net/netfilter/nfnetlink_log.c
Diff comments   View file @ 37d2e7a
... ... @@ -862,11 +862,9 @@
862 862  
863 863 static struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = {
864 864 [NFULNL_MSG_PACKET] = { .call = nfulnl_recv_unsupp,
865   - .attr_count = NFULA_MAX,
866   - .cap_required = CAP_NET_ADMIN, },
  865 + .attr_count = NFULA_MAX, },
867 866 [NFULNL_MSG_CONFIG] = { .call = nfulnl_recv_config,
868   - .attr_count = NFULA_CFG_MAX,
869   - .cap_required = CAP_NET_ADMIN },
  867 + .attr_count = NFULA_CFG_MAX, },
870 868 };
871 869  
872 870 static struct nfnetlink_subsystem nfulnl_subsys = {
net/netfilter/nfnetlink_queue.c
Diff comments   View file @ 37d2e7a
... ... @@ -931,14 +931,11 @@
931 931  
932 932 static struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = {
933 933 [NFQNL_MSG_PACKET] = { .call = nfqnl_recv_unsupp,
934   - .attr_count = NFQA_MAX,
935   - .cap_required = CAP_NET_ADMIN },
  934 + .attr_count = NFQA_MAX, },
936 935 [NFQNL_MSG_VERDICT] = { .call = nfqnl_recv_verdict,
937   - .attr_count = NFQA_MAX,
938   - .cap_required = CAP_NET_ADMIN },
  936 + .attr_count = NFQA_MAX, },
939 937 [NFQNL_MSG_CONFIG] = { .call = nfqnl_recv_config,
940   - .attr_count = NFQA_CFG_MAX,
941   - .cap_required = CAP_NET_ADMIN },
  938 + .attr_count = NFQA_CFG_MAX, },
942 939 };
943 940  
944 941 static struct nfnetlink_subsystem nfqnl_subsys = {