On Sun, Dec 03, 2017 at 12:12:45PM -0800, Kevin Cernekee wrote: > The capability check in nfnetlink_rcv() verifies that the caller > has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. > However, nfnl_cthelper_list is shared by all net namespaces on the > system. Right, we need per-netns support for nfnetlink_cthelper. > An unprivileged user can create user and net namespaces > in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() > check: Applied to nf, thanks. [...] > I think xt_osf has the same issue with respect to xt_osf_fingers. > Also, it looks like nlmon devices created in an unprivileged netns can > see netlink activity from the init namespace. A fix that one would be good too. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
