• Pablo Neira Ayuso's avatar
    netlink: fix possible spoofing from non-root processes · 20e1db19
    Pablo Neira Ayuso authored
    Non-root user-space processes can send Netlink messages to other
    processes that are well-known for being subscribed to Netlink
    asynchronous notifications. This allows ilegitimate non-root
    process to send forged messages to Netlink subscribers.
    
    The userspace process usually verifies the legitimate origin in
    two ways:
    
    a) Socket credentials. If UID != 0, then the message comes from
       some ilegitimate process and the message needs to be dropped.
    
    b) Netlink portID. In general, portID == 0 means that the origin
       of the messages comes from the kernel. Thus, discarding any
       message not coming from the kernel.
    
    However, ctnetlink sets the portID in event messages that has
    been triggered by some user-space process, eg. conntrack utility.
    So other processes subscribed to ctnetlink events, eg. conntrackd,
    know that the event was triggered by some user-space action.
    
    Neither of the two ways to discard ilegitimate messages coming
    from non-root processes can help for ctnetlink.
    
    This patch adds capability validation in case that dst_pid is set
    in netlink_sendmsg(). This approach is aggressive since existing
    applications using any Netlink bus to deliver messages between
    two user-space processes will break. Note that the exception is
    NETLINK_USERSOCK, since it is reserved for netlink-to-netlink
    userspace communication.
    
    Still, if anyone wants that his Netlink bus allows netlink-to-netlink
    userspace, then they can set NL_NONROOT_SEND. However, by default,
    I don't think it makes sense to allow to use NETLINK_ROUTE to
    communicate two processes that are sending no matter what information
    that is not related to link/neighbouring/routing. They should be using
    NETLINK_USERSOCK instead for that.
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    20e1db19
af_netlink.c 48.9 KB