mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-23 13:51:13 -05:00
74 lines
2.9 KiB
Diff
74 lines
2.9 KiB
Diff
|
From 20e1db19db5d6b9e4e83021595eab0dc8f107bef Mon Sep 17 00:00:00 2001
|
||
|
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|
Date: Thu, 23 Aug 2012 02:09:11 +0000
|
||
|
Subject: netlink: fix possible spoofing from non-root processes
|
||
|
|
||
|
Non-root user-space processes can send Netlink messages to other
|
||
|
processes that are well-known for being subscribed to Netlink
|
||
|
asynchronous notifications. This allows ilegitimate non-root
|
||
|
process to send forged messages to Netlink subscribers.
|
||
|
|
||
|
The userspace process usually verifies the legitimate origin in
|
||
|
two ways:
|
||
|
|
||
|
a) Socket credentials. If UID != 0, then the message comes from
|
||
|
some ilegitimate process and the message needs to be dropped.
|
||
|
|
||
|
b) Netlink portID. In general, portID == 0 means that the origin
|
||
|
of the messages comes from the kernel. Thus, discarding any
|
||
|
message not coming from the kernel.
|
||
|
|
||
|
However, ctnetlink sets the portID in event messages that has
|
||
|
been triggered by some user-space process, eg. conntrack utility.
|
||
|
So other processes subscribed to ctnetlink events, eg. conntrackd,
|
||
|
know that the event was triggered by some user-space action.
|
||
|
|
||
|
Neither of the two ways to discard ilegitimate messages coming
|
||
|
from non-root processes can help for ctnetlink.
|
||
|
|
||
|
This patch adds capability validation in case that dst_pid is set
|
||
|
in netlink_sendmsg(). This approach is aggressive since existing
|
||
|
applications using any Netlink bus to deliver messages between
|
||
|
two user-space processes will break. Note that the exception is
|
||
|
NETLINK_USERSOCK, since it is reserved for netlink-to-netlink
|
||
|
userspace communication.
|
||
|
|
||
|
Still, if anyone wants that his Netlink bus allows netlink-to-netlink
|
||
|
userspace, then they can set NL_NONROOT_SEND. However, by default,
|
||
|
I don't think it makes sense to allow to use NETLINK_ROUTE to
|
||
|
communicate two processes that are sending no matter what information
|
||
|
that is not related to link/neighbouring/routing. They should be using
|
||
|
NETLINK_USERSOCK instead for that.
|
||
|
|
||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|
---
|
||
|
net/netlink/af_netlink.c | 4 +++-
|
||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
|
||
|
index 1445d73..5270238 100644
|
||
|
--- a/net/netlink/af_netlink.c
|
||
|
+++ b/net/netlink/af_netlink.c
|
||
|
@@ -1373,7 +1373,8 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
|
||
|
dst_pid = addr->nl_pid;
|
||
|
dst_group = ffs(addr->nl_groups);
|
||
|
err = -EPERM;
|
||
|
- if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
|
||
|
+ if ((dst_group || dst_pid) &&
|
||
|
+ !netlink_capable(sock, NL_NONROOT_SEND))
|
||
|
goto out;
|
||
|
} else {
|
||
|
dst_pid = nlk->dst_pid;
|
||
|
@@ -2147,6 +2148,7 @@ static void __init netlink_add_usersock_entry(void)
|
||
|
rcu_assign_pointer(nl_table[NETLINK_USERSOCK].listeners, listeners);
|
||
|
nl_table[NETLINK_USERSOCK].module = THIS_MODULE;
|
||
|
nl_table[NETLINK_USERSOCK].registered = 1;
|
||
|
+ nl_table[NETLINK_USERSOCK].nl_nonroot = NL_NONROOT_SEND;
|
||
|
|
||
|
netlink_table_ungrab();
|
||
|
}
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|