On Tue, Dec 05, 2017 at 03:42:41PM -0800, Kevin Cernekee wrote: > The capability check in nfnetlink_rcv() verifies that the caller > has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. > However, xt_osf_fingers is shared by all net namespaces on the > system. An unprivileged user can create user and net namespaces > in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() > check: > > vpnns -- nfnl_osf -f /tmp/pf.os > > vpnns -- nfnl_osf -f /tmp/pf.os -d > > These non-root operations successfully modify the systemwide OS > fingerprint list. Add new capable() checks so that they can't. Applied, thanks Kevin. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
