b950960db8
[ Upstream commit 90f62cf30a ]
It is possible by passing a netlink socket to a more privileged
executable and then to fool that executable into writing to the socket
data that happens to be valid netlink message to do something that
privileged executable did not intend to do.
To keep this from happening replace bare capable and ns_capable calls
with netlink_capable, netlink_net_calls and netlink_ns_capable calls.
Which act the same as the previous calls except they verify that the
opener of the socket had the desired permissions as well.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from v3.14.9 commit be0ef855baab7248d0fc71cdf78a47fcfd3708f1)
TEST=cbuildbot + manual boot
BUG=chromium:427008
Change-Id: I4ef07e2fc28236060665a2638c22bdd1059592da
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/244352
Reviewed-by: Kees Cook <keescook@chromium.org>