[PATCH] NETFILTER: Missing check for CAP_NET_ADMIN in iptables compat layer

The 32bit compatibility layer has no CAP_NET_ADMIN check in compat_do_ipt_get_ctl, which for example allows to list the current iptables rules even without having that capability (the non-compat version requires it). Other capabilities might be required to exploit the bug (eg. CAP_NET_RAW to get the nfnetlink socket?), so a plain user can't exploit it, but a setup actually using the posix capability system might very well hit such a constellation of granted capabilities. Signed-off-by: Björn Steinbrink <B.Steinbrink@gmx.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
author: Patrick McHardy <kaber@trash.net> 2006-11-17 06:35:41 +0100
committer: Chris Wright <chrisw@sous-sol.org> 2006-12-01 16:12:35 -0800
commit: e4cb788a4c160fe69f8b4d770ce03ab62bdefb06 (patch)
tree: c0b2e112cf749e54fe415c8e5a372183ff866e46
parent: 6ae616ea9dda7f6f5932dbaed31922fd27a83420 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 048514f15f2f..c64340b3cda8 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1994,6 +1994,9 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 {
 	int ret;
 
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
 	switch (cmd) {
 	case IPT_SO_GET_INFO:
 		ret = get_info(user, len, 1);
author	Patrick McHardy <kaber@trash.net>	2006-11-17 06:35:41 +0100
committer	Chris Wright <chrisw@sous-sol.org>	2006-12-01 16:12:35 -0800
commit	e4cb788a4c160fe69f8b4d770ce03ab62bdefb06 (patch)
tree	c0b2e112cf749e54fe415c8e5a372183ff866e46
parent	6ae616ea9dda7f6f5932dbaed31922fd27a83420 (diff)