Devin Kim 85c85ee651 netlink: fix possible spoofing from non-root processes ... Non-root user-space processes can send Netlink messages to other processes that are well-known for being subscribed to Netlink asynchronous notifications. This allows ilegitimate non-root process to send forged messages to Netlink subscribers. The userspace process usually verifies the legitimate origin in two ways: a) Socket credentials. If UID != 0, then the message comes from some ilegitimate process and the message needs to be dropped. b) Netlink portID. In general, portID == 0 means that the origin of the messages comes from the kernel. Thus, discarding any message not coming from the kernel. However, ctnetlink sets the portID in event messages that has been triggered by some user-space process, eg. conntrack utility. So other processes subscribed to ctnetlink events, eg. conntrackd, know that the event was triggered by some user-space action. Neither of the two ways to discard ilegitimate messages coming from non-root processes can help for ctnetlink. This patch adds capability validation in case that dst_pid is set in netlink_sendmsg(). This approach is aggressive since existing applications using any Netlink bus to deliver messages between two user-space processes will break. Note that the exception is NETLINK_USERSOCK, since it is reserved for netlink-to-netlink userspace communication. Still, if anyone wants that his Netlink bus allows netlink-to-netlink userspace, then they can set NL_NONROOT_SEND. However, by default, I don't think it makes sense to allow to use NETLINK_ROUTE to communicate two processes that are sending no matter what information that is not related to link/neighbouring/routing. They should be using NETLINK_USERSOCK instead for that. Change-Id: Ib1c38cb798391b51dedddf62a862346d36119ec7 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>		2013-03-04 12:46:01 -08:00
..
9p
802
8021q	Revert "net: maintain namespace isolation between vlan and real device"	2012-05-10 23:03:34 -04:00
appletalk
atm
ax25	net ax25: Reorder ax25_exit to remove races.	2012-04-19 15:37:48 -04:00
batman-adv
bluetooth	Bluetooth: Block SCO disconnect operation on BT_CLOSED state.	2013-02-27 18:20:11 -08:00
bridge	Merge commit 'v3.4-rc6' into android-3.4	2012-05-07 18:20:34 -07:00
caif	caif: Fix memory leakage in the chnl_net.c.	2012-04-13 11:01:44 -04:00
can
ceph
core	pktgen: fix module unload for good	2012-05-18 13:54:33 -04:00
dcb
dccp
decnet
dns_resolver
dsa
econet
ethernet
ieee802154	6lowpan: add missing spin_lock_init()	2012-04-26 05:32:55 -04:00
ipv4	net: Fix compile warning in tcp.c	2013-02-25 11:37:03 -08:00
ipv6	ipv6: Enable new mode proxy_ndp == 2	2013-02-25 11:36:58 -08:00
ipx
irda
iucv
key	net/key/af_key.c: add missing kfree_skb	2012-04-13 11:01:44 -04:00
l2tp	net: l2tp: unlock socket lock before returning from l2tp_ip_sendmsg	2012-05-02 21:04:33 -04:00
lapb
llc
mac80211	mac80211: fix AP mode EAP tx for VLAN stations	2012-04-30 14:40:05 -04:00
netfilter	Merge commit 'v3.4' into android-3.4	2012-05-25 13:56:28 -07:00
netlabel
netlink	netlink: fix possible spoofing from non-root processes	2013-03-04 12:46:01 -08:00
netrom
nfc	NFC: Fix the LLCP Tx fragmentation loop	2012-04-11 15:09:33 -04:00
openvswitch	openvswitch: checking wrong variable in queue_userspace_packet()	2012-05-13 15:47:34 -04:00
packet
phonet	phonet: Sort out initiailziation and cleanup code.	2012-04-13 11:01:43 -04:00
rds
rfkill
rose
rxrpc
sched	net: sched: Schedule PRIO qdisc when flow control released	2013-02-27 18:18:56 -08:00
sctp	sctp: check cached dst before using it	2012-05-10 23:15:47 -04:00
sunrpc	auth_gss: the list of pseudoflavors not being parsed correctly	2012-05-03 12:35:33 -04:00
tipc
unix	af_netlink: force credentials passing [CVE-2012-3520]	2013-03-04 12:46:00 -08:00
wanrouter
wimax
wireless	net/wireless: Check for number of sub bands	2013-02-25 11:37:00 -08:00
x25
xfrm
activity_stats.c
compat.c
Kconfig
Makefile
nonet.c
socket.c
sysctl_net.c