Re: [PATCH RFC 0/9] socket filtering using nf_tables

From: Pablo Neira Ayuso
Date: Wed Mar 12 2014 - 05:27:24 EST

Next message: Jesper Dangaard Brouer: "Re: [PATCH RFC] netfilter: cacheline aligning in struct netns_ct"
Previous message: Peter Zijlstra: "Re: is printk() safe within a timekeeper_seq write section?"
In reply to: Pablo Neira Ayuso: "Re: [PATCH RFC 0/9] socket filtering using nf_tables"
Next in thread: Alexei Starovoitov: "Re: [PATCH RFC 0/9] socket filtering using nf_tables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Mar 12, 2014 at 10:15:00AM +0100, Pablo Neira Ayuso wrote:
> > 7/9:
> > whole nft_expr_autoload() looks scary from security point of view.
> > If I'm reading it correctly, the code will do request_module() based on
> > userspace request to attach filter?
>
> Only root can invoke that code so far.

Oops, this is obviously wrong. This request_module part needs a fix
indeed for the non-root part.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jesper Dangaard Brouer: "Re: [PATCH RFC] netfilter: cacheline aligning in struct netns_ct"
Previous message: Peter Zijlstra: "Re: is printk() safe within a timekeeper_seq write section?"
In reply to: Pablo Neira Ayuso: "Re: [PATCH RFC 0/9] socket filtering using nf_tables"
Next in thread: Alexei Starovoitov: "Re: [PATCH RFC 0/9] socket filtering using nf_tables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]