From 442db0d6d8614c354c1c1ce705dd57d020680bac Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sat, 11 Jun 2016 00:53:16 +0200 Subject: [PATCH] kernel: deny swconfig set requests for unprivileged users The swconfig kernel infrastructure fails to do any permissions checks when changing settings. As such an ordinary user account on a device with a switch can change switch settings without any special permissions. Routers generally have few non-admin users so this isn't a big hole, but it is a security hole. Likely the greatest danger is for multifunction devices which have a lot of extra daemons, compromising a low-security daemon would allow one to modify switch settings and cause the router/switch to appear to lock-up (or cause other sorts of troublesome nyetwork behavior). Implement a check for CAP_NET_ADMIN in swconfig_set_attr() and deny any requests originating from user contexts lacking this capability. Reported-by: Elliott Mitchell Signed-off-by: Jo-Philipp Wich --- target/linux/generic/files/drivers/net/phy/swconfig.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/target/linux/generic/files/drivers/net/phy/swconfig.c b/target/linux/generic/files/drivers/net/phy/swconfig.c index b556510aef..699abd33dd 100644 --- a/target/linux/generic/files/drivers/net/phy/swconfig.c +++ b/target/linux/generic/files/drivers/net/phy/swconfig.c @@ -635,6 +635,9 @@ swconfig_set_attr(struct sk_buff *skb, struct genl_info *info) struct switch_val val; int err = -EINVAL; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + dev = swconfig_get_dev(info); if (!dev) return -EINVAL; -- 2.30.2