[PATCH 4/7] add missing module_alias_subsys

Harald Welte laforge at netfilter.org
Sat Nov 5 12:53:37 CET 2005 

On Sat, Nov 05, 2005 at 08:31:08AM +0100, Patrick McHardy wrote:
> Pablo Neira wrote:
> >Add missing module alias. This is a must to load ctnetlink on demand.
> >For example, the conntrack tool will fail if the module isn't loaded.
> 
> I don't think this is a good idea currently. Capability checking is
> done after module autoloading, so any user can load ctnetlink,
> ip_conntrack and all related modules. 

interesting point, thanks for mentioning it.

> Please make sure to move capability checking in nfnetlink before
> module loading first.

This unfortunately doesn't work with the current architecture, where
every nfnetlink subsystem can specifiy the required capabilities per
message.  That specification isn't available before loading the module,
though.

I think we can (in addition to our usual capability checks) add a
capability check to only do autoloading of a module if CAP_NET_ADMIN is
set.  Like:


[NETFILTER] nfnetlink: only load subsystems if CAP_NET_ADMIN is set

Without this patch, any user can cause nfnetlink subsystems to be
autoloaded.  Those subsystems however could add significant processing
overhead to packet processing, and would refuse any configuration messages
from non-CAP_NET_ADMIN processes anyway.

This patch follows a suggestion from Patrick McHardy.

Signed-off-by: Harald Welte <laforge at netfilter.org>

---
commit b73cccaf3b2d71b8f516c9b28cd44bf3b4efab1c
tree a67a2728bae003a7974ed9e5fd69bc8a40fd7f03
parent 5bd49cc95f4f8ef5e6782242709927cd3ee6337d
author Harald Welte <laforge at hanuman.de.gnumonks.org> Sat, 05 Nov 2005 12:52:07 +0100
committer Harald Welte <laforge at netfilter.org> Sat, 05 Nov 2005 12:52:07 +0100

 net/netfilter/nfnetlink.c |   17 ++++++++++-------
 1 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -240,15 +240,18 @@ static inline int nfnetlink_rcv_msg(stru
 	ss = nfnetlink_get_subsys(type);
 	if (!ss) {
 #ifdef CONFIG_KMOD
-		/* don't call nfnl_shunlock, since it would reenter
-		 * with further packet processing */
-		up(&nfnl_sem);
-		request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));
-		nfnl_shlock();
-		ss = nfnetlink_get_subsys(type);
+		if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
+			/* don't call nfnl_shunlock, since it would reenter
+			 * with further packet processing */
+			up(&nfnl_sem);
+			request_module("nfnetlink-subsys-%d",
+					NFNL_SUBSYS_ID(type));
+			nfnl_shlock();
+			ss = nfnetlink_get_subsys(type);
+		}
 		if (!ss)
 #endif
-		goto err_inval;
+			goto err_inval;
 	}
 
 	nc = nfnetlink_find_client(type, ss);

-- 
- Harald Welte <laforge at netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20051105/bc71f290/attachment.pgp

More information about the netfilter-devel mailing list