linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-27 04:47:05 +00:00

No description

Find a file

Ido Schimmel 580c80b6f8 psample: Require 'CAP_NET_ADMIN' when joining "packets" group [ Upstream commit `44ec98ea5e` ] The "psample" generic netlink family notifies sampled packets over the "packets" multicast group. This is problematic since by default generic netlink allows non-root users to listen to these notifications. Fix by marking the group with the 'GENL_UNS_ADMIN_PERM' flag. This will prevent non-root users or root without the 'CAP_NET_ADMIN' capability (in the user namespace owning the network namespace) from joining the group. Tested using [1]. Before: # capsh -- -c ./psample_repo # capsh --drop=cap_net_admin -- -c ./psample_repo After: # capsh -- -c ./psample_repo # capsh --drop=cap_net_admin -- -c ./psample_repo Failed to join "packets" multicast group [1] $ cat psample.c #include <stdio.h> #include <netlink/genl/ctrl.h> #include <netlink/genl/genl.h> #include <netlink/socket.h> int join_grp(struct nl_sock sk, const char grp_name) { int grp, err; grp = genl_ctrl_resolve_grp(sk, "psample", grp_name); if (grp < 0) { fprintf(stderr, "Failed to resolve \"%s\" multicast group\n", grp_name); return grp; } err = nl_socket_add_memberships(sk, grp, NFNLGRP_NONE); if (err) { fprintf(stderr, "Failed to join \"%s\" multicast group\n", grp_name); return err; } return 0; } int main(int argc, char *argv) { struct nl_sock sk; int err; sk = nl_socket_alloc(); if (!sk) { fprintf(stderr, "Failed to allocate socket\n"); return -1; } err = genl_connect(sk); if (err) { fprintf(stderr, "Failed to connect socket\n"); return err; } err = join_grp(sk, "config"); if (err) return err; err = join_grp(sk, "packets"); if (err) return err; return 0; } $ gcc -I/usr/include/libnl3 -lnl-3 -lnl-genl-3 -o psample_repo psample.c Fixes: `6ae0a62861` ("net: Introduce psample, a new genetlink channel for packet sampling") Reported-by: "The UK's National Cyber Security Centre (NCSC)" <security@ncsc.gov.uk> Signed-off-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Link: https://lore.kernel.org/r/20231206213102.1824398-2-idosch@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2023-12-13 18:45:10 +01:00
arch	x86/tdx: Allow 32-bit emulation by default	2023-12-13 18:45:02 +01:00
block	block: update the stable_writes flag in bdev_add	2023-12-03 07:33:03 +01:00
certs
crypto	crypto: pcrypt - Fix hungtask for PADATA_RESET	2023-11-28 17:19:42 +00:00
Documentation	dt-bindings: interrupt-controller: Allow #power-domain-cells	2023-12-13 18:45:09 +01:00
drivers	net: dsa: mv88e6xxx: Restore USXGMII support for 6393X	2023-12-13 18:45:10 +01:00
fs	btrfs: fix 64bit compat send ioctl arguments not initializing version member	2023-12-08 08:52:20 +01:00
include	tcp: fix mid stream window clamp.	2023-12-13 18:45:07 +01:00
init	proc: sysctl: prevent aliased sysctls from getting passed to init	2023-11-28 17:19:57 +00:00
io_uring	io_uring/kbuf: recycle freed mapped buffer ring entries	2023-12-08 08:52:21 +01:00
ipc
kernel	bpf: Fix a verifier bug due to incorrect branch offset comparison with cpu=v4	2023-12-13 18:45:04 +01:00
lib	zstd: Fix array-index-out-of-bounds UBSAN warning	2023-12-13 18:44:58 +01:00
LICENSES
mm	filemap: add a per-mapping stable writes flag	2023-12-03 07:33:03 +01:00
net	psample: Require 'CAP_NET_ADMIN' when joining "packets" group	2023-12-13 18:45:10 +01:00
rust	rust: docs: fix logo replacement	2023-10-19 16:40:00 +02:00
samples	samples/bpf: syscall_tp_user: Fix array out-of-bound access	2023-11-28 17:19:48 +00:00
scripts	dt: dt-extract-compatibles: Don't follow symlinks when walking tree	2023-12-13 18:45:03 +01:00
security	apparmor: Fix regression in mount mediation	2023-11-28 17:20:07 +00:00
sound	ALSA: hda/realtek: Add supported ALC257 for ChromeOS	2023-12-08 08:52:16 +01:00
tools	selftests/net: mptcp: fix uninitialized variable warnings	2023-12-08 08:52:22 +01:00
usr
virt
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap	20 hotfixes. 12 are cc:stable and the remainder address post-6.5 issues	2023-10-24 09:52:16 -10:00
.rustfmt.toml
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS	Char/Misc driver fixes for 6.6-final	2023-10-28 07:51:27 -10:00
Makefile	Linux 6.6.6	2023-12-11 10:40:17 +01:00
README

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.