From patchwork Mon Aug 23 12:50:01 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Luciano Coelho <luciano.coelho@nokia.com>
X-Patchwork-Id: 62482
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id CD2E7B6EF1
	for <patchwork-incoming@ozlabs.org>;
	Mon, 23 Aug 2010 22:58:09 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752849Ab0HWM5y (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 23 Aug 2010 08:57:54 -0400
Received: from emh07.mail.saunalahti.fi ([62.142.5.117]:51147 "EHLO
	emh07.mail.saunalahti.fi" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752816Ab0HWM5w (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 23 Aug 2010 08:57:52 -0400
X-Greylist: delayed 465 seconds by postgrey-1.27 at vger.kernel.org;
	Mon, 23 Aug 2010 08:57:52 EDT
Received: from saunalahti-vams (vs3-10.mail.saunalahti.fi [62.142.5.94])
	by emh07-2.mail.saunalahti.fi (Postfix) with SMTP id EFC5718D9EE;
	Mon, 23 Aug 2010 15:50:05 +0300 (EEST)
Received: from emh04.mail.saunalahti.fi ([62.142.5.110])
	by vs3-10.mail.saunalahti.fi ([62.142.5.94])
	with SMTP (gateway) id A048D5E7D55; Mon, 23 Aug 2010 15:50:05 +0300
Received: from localhost.localdomain (a88-115-111-186.elisa-laajakaista.fi
	[88.115.111.186])
	by emh04.mail.saunalahti.fi (Postfix) with ESMTP id 7236F41BF0;
	Mon, 23 Aug 2010 15:50:01 +0300 (EEST)
From: luciano.coelho@nokia.com
To: kaber@trash.net
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
	Luciano Coelho <luciano.coelho@nokia.com>
Subject: [PATCH] netfilter: xt_condition: add security capability support
Date: Mon, 23 Aug 2010 15:50:01 +0300
Message-Id: <1282567801-2673-1-git-send-email-luciano.coelho@nokia.com>
X-Mailer: git-send-email 1.7.0.4
X-Antivirus: VAMS
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Luciano Coelho <luciano.coelho@nokia.com>

Add a module parameter that allows the required security capability to
change the conditions from userspace to be specified.  By default the
module will require the CAP_NET_ADMIN capability.

Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
---
 net/netfilter/xt_condition.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/xt_condition.c b/net/netfilter/xt_condition.c
index 06205aa..fd279e5 100644
--- a/net/netfilter/xt_condition.c
+++ b/net/netfilter/xt_condition.c
@@ -29,11 +29,13 @@
 #include <linux/netfilter/xt_condition.h>
 #include <net/netns/generic.h>
 #include <asm/uaccess.h>
+#include <linux/capability.h>
 
 /* Defaults, these can be overridden on the module command-line. */
 static unsigned int condition_list_perms = S_IRUGO | S_IWUSR;
 static unsigned int condition_uid_perms = 0;
 static unsigned int condition_gid_perms = 0;
+static unsigned int condition_capabilities = CAP_NET_ADMIN;
 
 MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
 MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
@@ -47,6 +49,8 @@ module_param(condition_uid_perms, uint, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(condition_uid_perms, "default user owner of /proc/net/nf_condition/* files");
 module_param(condition_gid_perms, uint, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(condition_gid_perms, "default group owner of /proc/net/nf_condition/* files");
+module_param(condition_capabilities, uint, CAP_NET_ADMIN);
+MODULE_PARM_DESC(condition_capabilities, "default capabilities required to change /proc/net/nf_condition/* files");
 MODULE_ALIAS("ipt_condition");
 MODULE_ALIAS("ip6t_condition");
 
@@ -88,6 +92,12 @@ static int condition_proc_write(struct file *file, const char __user *input,
 	char buf[sizeof("+037777777777")];
 	unsigned long long value;
 
+	if (!capable(condition_capabilities)) {
+		pr_debug("not enough capabilities (requires %0X)\n",
+			condition_capabilities);
+		return -EPERM;
+	}
+
 	if (length == 0)
 		return 0;