Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Commit [90f62c] Maximize Restore History

net: Use netlink_ns_capable to verify the permisions of netlink messages

It is possible by passing a netlink socket to a more privileged
executable and then to fool that executable into writing to the socket
data that happens to be valid netlink message to do something that
privileged executable did not intend to do.

To keep this from happening replace bare capable and ns_capable calls
with netlink_capable, netlink_net_calls and netlink_ns_capable calls.
Which act the same as the previous calls except they verify that the
opener of the socket had the desired permissions as well.

Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Eric W. Biederman Eric W. Biederman 2014-04-23

David S. Miller David S. Miller 2014-04-24

1 2 > >> (Page 1 of 2)
changed crypto
changed crypto/crypto_user.c
changed drivers
changed drivers/connector
changed drivers/connector/cn_proc.c
changed drivers/scsi
changed drivers/scsi/scsi_netlink.c
changed kernel
changed kernel/audit.c
changed net
changed net/can
changed net/can/gw.c
changed net/core
changed net/core/rtnetlink.c
changed net/dcb
changed net/dcb/dcbnl.c
changed net/decnet
changed net/decnet/dn_dev.c
changed net/decnet/dn_fib.c
changed net/decnet/netfilter
changed net/decnet/netfilter/dn_rtmsg.c
changed net/netfilter
changed net/netfilter/nfnetlink.c
changed net/netlink
changed net/netlink/genetlink.c
changed net/packet
changed net/packet/diag.c
changed net/phonet
changed net/phonet/pn_netlink.c
changed net/sched
changed net/sched/act_api.c
changed net/sched/cls_api.c
changed net/sched/sch_api.c
changed net/tipc
changed net/tipc/netlink.c
changed net/xfrm
changed net/xfrm/xfrm_user.c
crypto
Directory.
crypto/crypto_user.c Diff Switch to side-by-side view
Loading...
drivers
Directory.
drivers/connector
Directory.
drivers/connector/cn_proc.c Diff Switch to side-by-side view
Loading...
drivers/scsi
Directory.
drivers/scsi/scsi_netlink.c Diff Switch to side-by-side view
Loading...
kernel
Directory.
kernel/audit.c Diff Switch to side-by-side view
Loading...
net
Directory.
net/can
Directory.
net/can/gw.c Diff Switch to side-by-side view
Loading...
net/core
Directory.
net/core/rtnetlink.c Diff Switch to side-by-side view
Loading...
net/dcb
Directory.
net/dcb/dcbnl.c Diff Switch to side-by-side view
Loading...
net/decnet
Directory.
net/decnet/dn_dev.c Diff Switch to side-by-side view
Loading...
net/decnet/dn_fib.c Diff Switch to side-by-side view
Loading...
net/decnet/netfilter/dn_rtmsg.c Diff Switch to side-by-side view
Loading...
net/netfilter
Directory.
net/netfilter/nfnetlink.c Diff Switch to side-by-side view
Loading...
net/netlink
Directory.
net/netlink/genetlink.c Diff Switch to side-by-side view
Loading...
net/packet
Directory.
net/packet/diag.c Diff Switch to side-by-side view
Loading...
net/phonet
Directory.
net/phonet/pn_netlink.c Diff Switch to side-by-side view
Loading...
net/sched
Directory.
net/sched/act_api.c Diff Switch to side-by-side view
Loading...
net/sched/cls_api.c Diff Switch to side-by-side view
Loading...
net/sched/sch_api.c Diff Switch to side-by-side view
Loading...
net/tipc
Directory.
net/tipc/netlink.c Diff Switch to side-by-side view
Loading...
net/xfrm
Directory.
net/xfrm/xfrm_user.c Diff Switch to side-by-side view
Loading...
1 2 > >> (Page 1 of 2)