Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dce766af authored by Florian Westphal's avatar Florian Westphal Committed by Patrick McHardy
Browse files

netfilter: ebtables: enforce CAP_NET_ADMIN 



normal users are currently allowed to set/modify ebtables rules.
Restrict it to processes with CAP_NET_ADMIN.

Note that this cannot be reproduced with unmodified ebtables binary
because it uses SOCK_RAW.

Signed-off-by: default avatarFlorian Westphal <fwestphal@astaro.com>
Cc: stable@kernel.org
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent aaff23a9

net/bridge/netfilter/ebtables.c

+6 −0
Original line number Diff line number Diff line
@@ -1406,6 +1406,9 @@ static int do_ebt_set_ctl(struct sock *sk, 
{

	int ret;



	if (!capable(CAP_NET_ADMIN))

		return -EPERM;



	switch(cmd) {

	case EBT_SO_SET_ENTRIES:

		ret = do_replace(sock_net(sk), user, len);
@@ -1425,6 +1428,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) 
	struct ebt_replace tmp;

	struct ebt_table *t;



	if (!capable(CAP_NET_ADMIN))

		return -EPERM;



	if (copy_from_user(&tmp, user, sizeof(tmp)))

		return -EFAULT;