[NETFILTER] nfnetlink: only load subsystems if CAP_NET_ADMIN is set
authorHarald Welte <laforge@netfilter.org>
Wed, 9 Nov 2005 21:02:16 +0000 (13:02 -0800)
committerDavid S. Miller <davem@davemloft.net>
Wed, 9 Nov 2005 21:02:16 +0000 (13:02 -0800)
Without this patch, any user can cause nfnetlink subsystems to be
autoloaded.  Those subsystems however could add significant processing
overhead to packet processing, and would refuse any configuration messages
from non-CAP_NET_ADMIN processes anyway.

This patch follows a suggestion from Patrick McHardy.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/netfilter/nfnetlink.c

index f8bd7c7e7921530df94ec1310dcf77884b8b1bbc..83f4c53030fca5175a1cffcd8ea98b27e6c18e47 100644 (file)
@@ -240,15 +240,18 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
        ss = nfnetlink_get_subsys(type);
        if (!ss) {
 #ifdef CONFIG_KMOD
-               /* don't call nfnl_shunlock, since it would reenter
-                * with further packet processing */
-               up(&nfnl_sem);
-               request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));
-               nfnl_shlock();
-               ss = nfnetlink_get_subsys(type);
+               if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
+                       /* don't call nfnl_shunlock, since it would reenter
+                        * with further packet processing */
+                       up(&nfnl_sem);
+                       request_module("nfnetlink-subsys-%d",
+                                       NFNL_SUBSYS_ID(type));
+                       nfnl_shlock();
+                       ss = nfnetlink_get_subsys(type);
+               }
                if (!ss)
 #endif
-               goto err_inval;
+                       goto err_inval;
        }
 
        nc = nfnetlink_find_client(type, ss);