netfilter: ebtables: enforce CAP_NET_ADMIN

commit dce766af541f6605fa9889892c0280bab31c66ab upstream.

normal users are currently allowed to set/modify ebtables rules.
Restrict it to processes with CAP_NET_ADMIN.

Note that this cannot be reproduced with unmodified ebtables binary
because it uses SOCK_RAW.

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 37928d5f284024b871604462fbfa04bc037c61a9..4877d57205de203b12775c4da04021dcb794b0fb 100644 (file)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1405,6 +1405,9 @@ static int do_ebt_set_ctl(struct sock *sk,
 {
        int ret;
 
+       if (!capable(CAP_NET_ADMIN))
+               return -EPERM;
+
        switch(cmd) {
        case EBT_SO_SET_ENTRIES:
                ret = do_replace(sock_net(sk), user, len);
@@ -1424,6 +1427,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
        struct ebt_replace tmp;
        struct ebt_table *t;
 
+       if (!capable(CAP_NET_ADMIN))
+               return -EPERM;
+
        if (copy_from_user(&tmp, user, sizeof(tmp)))
                return -EFAULT;