summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorHarald Welte <laforge@netfilter.org>2005-11-09 13:02:16 -0800
committerDavid S. Miller <davem@davemloft.net>2005-11-09 13:02:16 -0800
commited77de9fc69076e6e7c85edf7c1b70650f53121a (patch)
treeeb75bc1a632003f97d50920023e7802f5e2ae169 /net
parent5978a9b82c55b82a1087bd86e0ae8b00f94d0d0b (diff)
downloadkernel-crypto-ed77de9fc69076e6e7c85edf7c1b70650f53121a.tar.gz
kernel-crypto-ed77de9fc69076e6e7c85edf7c1b70650f53121a.tar.xz
kernel-crypto-ed77de9fc69076e6e7c85edf7c1b70650f53121a.zip
[NETFILTER] nfnetlink: only load subsystems if CAP_NET_ADMIN is set
Without this patch, any user can cause nfnetlink subsystems to be autoloaded. Those subsystems however could add significant processing overhead to packet processing, and would refuse any configuration messages from non-CAP_NET_ADMIN processes anyway. This patch follows a suggestion from Patrick McHardy. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nfnetlink.c17
1 files changed, 10 insertions, 7 deletions
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index f8bd7c7e792..83f4c53030f 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -240,15 +240,18 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
ss = nfnetlink_get_subsys(type);
if (!ss) {
#ifdef CONFIG_KMOD
- /* don't call nfnl_shunlock, since it would reenter
- * with further packet processing */
- up(&nfnl_sem);
- request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));
- nfnl_shlock();
- ss = nfnetlink_get_subsys(type);
+ if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
+ /* don't call nfnl_shunlock, since it would reenter
+ * with further packet processing */
+ up(&nfnl_sem);
+ request_module("nfnetlink-subsys-%d",
+ NFNL_SUBSYS_ID(type));
+ nfnl_shlock();
+ ss = nfnetlink_get_subsys(type);
+ }
if (!ss)
#endif
- goto err_inval;
+ goto err_inval;
}
nc = nfnetlink_find_client(type, ss);