[NETFILTER] nfnetlink: only load subsystems if CAP_NET_ADMIN is set
Without this patch, any user can cause nfnetlink subsystems to be autoloaded. Those subsystems however could add significant processing overhead to packet processing, and would refuse any configuration messages from non-CAP_NET_ADMIN processes anyway. This patch follows a suggestion from Patrick McHardy. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
5978a9b82c
commit
ed77de9fc6
1 changed files with 10 additions and 7 deletions
|
@ -240,15 +240,18 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
|
|||
ss = nfnetlink_get_subsys(type);
|
||||
if (!ss) {
|
||||
#ifdef CONFIG_KMOD
|
||||
/* don't call nfnl_shunlock, since it would reenter
|
||||
* with further packet processing */
|
||||
up(&nfnl_sem);
|
||||
request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));
|
||||
nfnl_shlock();
|
||||
ss = nfnetlink_get_subsys(type);
|
||||
if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
|
||||
/* don't call nfnl_shunlock, since it would reenter
|
||||
* with further packet processing */
|
||||
up(&nfnl_sem);
|
||||
request_module("nfnetlink-subsys-%d",
|
||||
NFNL_SUBSYS_ID(type));
|
||||
nfnl_shlock();
|
||||
ss = nfnetlink_get_subsys(type);
|
||||
}
|
||||
if (!ss)
|
||||
#endif
|
||||
goto err_inval;
|
||||
goto err_inval;
|
||||
}
|
||||
|
||||
nc = nfnetlink_find_client(type, ss);
|
||||
|
|
Loading…
Reference in a new issue