From: Danny Feng <dfeng@redhat.com>
Date: Tue, 19 Jan 2010 08:57:26 -0500
Subject: [net] netfilter: enforce CAP_NET_ADMIN in ebtables
Message-id: <20100119085815.2029.82438.sendpatchset@danny>
Patchwork-id: 22644
O-Subject: [PATCH RHEL5.5] CVE-2010-0007 kernel: netfilter: ebtables: enforce
	CAP_NET_ADMIN
Bugzilla: 555243
CVE: CVE-2010-0007
RH-Acked-by: David S. Miller <davem@redhat.com>
RH-Acked-by: Neil Horman <nhorman@redhat.com>
RH-Acked-by: Dean Nelson <dnelson@redhat.com>
RH-Acked-by: Jiri Pirko <jpirko@redhat.com>
RH-Acked-by: Thomas Graf <tgraf@redhat.com>

Backport of upstream commit to fix CVE-2010-0007

commit dce766af541f6605fa9889892c0280bab31c66ab
Author: Florian Westphal <fwestphal@astaro.com>
Date:   Fri Jan 8 17:31:24 2010 +0100

    netfilter: ebtables: enforce CAP_NET_ADMIN

    normal users are currently allowed to set/modify ebtables rules.
    Restrict it to processes with CAP_NET_ADMIN.

    Note that this cannot be reproduced with unmodified ebtables
    binary
    because it uses SOCK_RAW.

    Signed-off-by: Florian Westphal <fwestphal@astaro.com>
    Cc: stable@kernel.org
    Signed-off-by: Patrick McHardy <kaber@trash.net>

Resolves bz555243

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 940b218..ff34004 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1405,6 +1405,9 @@ static int do_ebt_set_ctl(struct sock *sk,
 {
 	int ret;
 
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
 	switch(cmd) {
 	case EBT_SO_SET_ENTRIES:
 		ret = do_replace(user, len);
@@ -1424,6 +1427,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 	struct ebt_replace tmp;
 	struct ebt_table *t;
 
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
 	if (copy_from_user(&tmp, user, sizeof(tmp)))
 		return -EFAULT;