diff options
author | Jo-Philipp Wich <jo@mein.io> | 2016-06-11 00:53:16 +0200 |
---|---|---|
committer | Jo-Philipp Wich <jo@mein.io> | 2016-06-11 00:53:19 +0200 |
commit | 442db0d6d8614c354c1c1ce705dd57d020680bac (patch) | |
tree | 4b4ada48c6c5bc2015b2a600a1816231d48631b1 /target/linux | |
parent | dd182011e1acabc94169b85f3bc63efbab72ddd4 (diff) | |
download | mtk-20170518-442db0d6d8614c354c1c1ce705dd57d020680bac.zip mtk-20170518-442db0d6d8614c354c1c1ce705dd57d020680bac.tar.gz mtk-20170518-442db0d6d8614c354c1c1ce705dd57d020680bac.tar.bz2 |
kernel: deny swconfig set requests for unprivileged users
The swconfig kernel infrastructure fails to do any permissions checks when
changing settings. As such an ordinary user account on a device with a
switch can change switch settings without any special permissions.
Routers generally have few non-admin users so this isn't a big hole, but it
is a security hole. Likely the greatest danger is for multifunction devices
which have a lot of extra daemons, compromising a low-security daemon would
allow one to modify switch settings and cause the router/switch to appear to
lock-up (or cause other sorts of troublesome nyetwork behavior).
Implement a check for CAP_NET_ADMIN in swconfig_set_attr() and deny any
requests originating from user contexts lacking this capability.
Reported-by: Elliott Mitchell <ehem+openwrt@m5p.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'target/linux')
-rw-r--r-- | target/linux/generic/files/drivers/net/phy/swconfig.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/target/linux/generic/files/drivers/net/phy/swconfig.c b/target/linux/generic/files/drivers/net/phy/swconfig.c index b556510..699abd3 100644 --- a/target/linux/generic/files/drivers/net/phy/swconfig.c +++ b/target/linux/generic/files/drivers/net/phy/swconfig.c @@ -635,6 +635,9 @@ swconfig_set_attr(struct sk_buff *skb, struct genl_info *info) struct switch_val val; int err = -EINVAL; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + dev = swconfig_get_dev(info); if (!dev) return -EINVAL; |