[NETFILTER] nfnetlink: only load subsystems if CAP_NET_ADMIN is set Without this patch, any user can cause nfnetlink subsystems to be autoloaded. Those subsystems however could add significant processing overhead to packet processing, and would refuse any configuration messages from non-CAP_NET_ADMIN processes anyway.
This patch follows a suggestion from Patrick McHardy.
Signed-off-by: Harald Welte <[EMAIL PROTECTED]>
---
commit b73cccaf3b2d71b8f516c9b28cd44bf3b4efab1c
tree a67a2728bae003a7974ed9e5fd69bc8a40fd7f03
parent 5bd49cc95f4f8ef5e6782242709927cd3ee6337d
author Harald Welte <[EMAIL PROTECTED]> Sat, 05 Nov 2005 12:52:07 +0100
committer Harald Welte <[EMAIL PROTECTED]> Sat, 05 Nov 2005 12:52:07 +0100
net/netfilter/nfnetlink.c | 17 ++++++++++-------
1 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -240,15 +240,18 @@ static inline int nfnetlink_rcv_msg(stru
ss = nfnetlink_get_subsys(type);
if (!ss) {
#ifdef CONFIG_KMOD
- /* don't call nfnl_shunlock, since it would reenter
- * with further packet processing */
- up(&nfnl_sem);
- request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));
- nfnl_shlock();
- ss = nfnetlink_get_subsys(type);
+ if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
+ /* don't call nfnl_shunlock, since it would reenter
+ * with further packet processing */
+ up(&nfnl_sem);
+ request_module("nfnetlink-subsys-%d",
+ NFNL_SUBSYS_ID(type));
+ nfnl_shlock();
+ ss = nfnetlink_get_subsys(type);
+ }
if (!ss)
#endif
- goto err_inval;
+ goto err_inval;
}
nc = nfnetlink_find_client(type, ss);
--
- Harald Welte <[EMAIL PROTECTED]> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
pgpfDknLmOJUv.pgp
Description: PGP signature
