[Devel] [PATCH RHEL9 COMMIT] ve/netfilter: Check for permittions while looking for target and match

Konstantin Khorenko khorenko at virtuozzo.com
Wed Oct 20 11:39:34 MSK 2021 

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.12
------>
commit 3ebacfec1a42abc51f84e645a4117f81bb8b01d0
Author: Kirill Tkhai <ktkhai at parallels.com>
Date:   Wed Oct 20 11:39:34 2021 +0300

    ve/netfilter: Check for permittions while looking for target and match
    
    Patchset description:
    
    Port autoloading of netfilter modules functuonality
    
    https://jira.sw.ru/browse/PSBM-28910
    
    Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
    
    Kirill Tkhai (4):
          kmod: Move check of VE permitions from __call_usermodehelper_exec() to upper functions
          kmod: Port autoloading from CT
          netfilter: Add autoloading of sockopt modules
          netfilter: Check for permittions while looking for target and match
    
    (cherry picked from vz7 commit 6abadc4355f7 ("ve/netfilter: Check for
    permittions while looking for target and match"))
    
    VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783
    
    Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
    
    (cherry-picked from vz8 commit 3d0593b5d20d ("ve/netfilter: Check for
    permittions while looking for target and match"))
    
    Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 net/netfilter/x_tables.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 7eb2a98ec410..acb2dda97870 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -172,6 +172,29 @@ xt_unregister_matches(struct xt_match *match, unsigned int n)
 }
 EXPORT_SYMBOL(xt_unregister_matches);
 
+/*
+ * Convert xt_name to module name and check for it's allowed.
+ *
+ * xt_name is a module name without prefix.
+ */
+static bool xt_name_allowed(u8 af, const char *xt_name)
+{
+	char module_name[MODULE_NAME_LEN] = {'\0'};
+	const char *prefix = xt_prefix[af];
+	int len = strlen(prefix) + strlen("t_");
+
+	if (len + strnlen(xt_name, MODULE_NAME_LEN) >= MODULE_NAME_LEN)
+		return false;
+
+	/* Fallback targets (ipt_standard_target etc) */
+	if (strcmp(xt_name, XT_STANDARD_TARGET) == 0 ||
+	    strcmp(xt_name, XT_ERROR_TARGET) == 0)
+		return true;
+
+	sprintf(module_name, "%st_%s", prefix, xt_name);
+
+	return module_payload_allowed(module_name);
+}
 
 /*
  * These are weird, but module loading must not be done with mutex
@@ -188,6 +211,9 @@ struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
 	if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
 		return ERR_PTR(-EINVAL);
 
+	if (!xt_name_allowed(af, name))
+		return ERR_PTR(err);
+
 	mutex_lock(&xt[af].mutex);
 	list_for_each_entry(m, &xt[af].match, list) {
 		if (strcmp(m->name, name) == 0) {
@@ -237,6 +263,9 @@ static struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
 	if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
 		return ERR_PTR(-EINVAL);
 
+	if (!xt_name_allowed(af, name))
+		return ERR_PTR(err);
+
 	mutex_lock(&xt[af].mutex);
 	list_for_each_entry(t, &xt[af].target, list) {
 		if (strcmp(t->name, name) == 0) {

More information about the Devel mailing list