Commit ed77de9f authored Nov 09, 2005 by Harald Welte Committed by David S. Miller Nov 09, 2005

[NETFILTER] nfnetlink: only load subsystems if CAP_NET_ADMIN is set



Without this patch, any user can cause nfnetlink subsystems to be
autoloaded.  Those subsystems however could add significant processing
overhead to packet processing, and would refuse any configuration messages
from non-CAP_NET_ADMIN processes anyway.

This patch follows a suggestion from Patrick McHardy.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 5978a9b8

net/netfilter/nfnetlink.c

+10 −7

Original line number	Diff line number	Diff line
		@@ -240,12 +240,15 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
		ss = nfnetlink_get_subsys(type);
		if (!ss) {
		#ifdef CONFIG_KMOD
		if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
		/* don't call nfnl_shunlock, since it would reenter
		* with further packet processing */
		up(&nfnl_sem);
		request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));
		request_module("nfnetlink-subsys-%d",
		NFNL_SUBSYS_ID(type));
		nfnl_shlock();
		ss = nfnetlink_get_subsys(type);
		}
		if (!ss)
		#endif
		goto err_inval;