• Eric W. Biederman's avatar
    netlink: Only check file credentials for implicit destinations · 2d7a85f4
    Eric W. Biederman authored
    It was possible to get a setuid root or setcap executable to write to
    it's stdout or stderr (which has been set made a netlink socket) and
    inadvertently reconfigure the networking stack.
    
    To prevent this we check that both the creator of the socket and
    the currentl applications has permission to reconfigure the network
    stack.
    
    Unfortunately this breaks Zebra which always uses sendto/sendmsg
    and creates it's socket without any privileges.
    
    To keep Zebra working don't bother checking if the creator of the
    socket has privilege when a destination address is specified.  Instead
    rely exclusively on the privileges of the sender of the socket.
    
    Note from Andy: This is exactly Eric's code except for some comment
    clarifications and formatting fixes.  Neither I nor, I think, anyone
    else is thrilled with this approach, but I'm hesitant to wait on a
    better fix since 3.15 is almost here.
    
    Note to stable maintainers: This is a mess.  An earlier series of
    patches in 3.15 fix a rather serious security issue (CVE-2014-0181),
    but they did so in a way that breaks Zebra.  The offending series
    includes:
    
        commit aa4cf945
        Author: Eric W. Biederman <ebiederm@xmission.com>
        Date:   Wed Apr 23 14:28:03 2014 -0700
    
            net: Add variants of capable for use on netlink messages
    
    If a given kernel version is missing that series of fixes, it's
    probably worth backporting it and this patch.  if that series is
    present, then this fix is critical if you care about Zebra.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    2d7a85f4
af_netlink.c 73.5 KB