openwrtv4/target/linux/generic/files/drivers/net/phy
Jo-Philipp Wich 442db0d6d8 kernel: deny swconfig set requests for unprivileged users
The swconfig kernel infrastructure fails to do any permissions checks when
changing settings. As such an ordinary user account on a device with a
switch can change switch settings without any special permissions.
Routers generally have few non-admin users so this isn't a big hole, but it
is a security hole. Likely the greatest danger is for multifunction devices
which have a lot of extra daemons, compromising a low-security daemon would
allow one to modify switch settings and cause the router/switch to appear to
lock-up (or cause other sorts of troublesome nyetwork behavior).

Implement a check for CAP_NET_ADMIN in swconfig_set_attr() and deny any
requests originating from user contexts lacking this capability.

Reported-by: Elliott Mitchell <ehem+openwrt@m5p.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-11 00:53:19 +02:00
..
b53 b53: support setting port link 2016-02-03 09:33:56 +00:00
adm6996.c treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
adm6996.h treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
ar8216.c treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
ar8216.h treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
ar8327.c treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
ar8327.h treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
ip17xx.c treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
mvsw61xx.c treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
mvsw61xx.h treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
mvswitch.c treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
mvswitch.h treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
psb6970.c unify extended vlan id swconfig attributes. AR8216 and PSB6970 used "pvid", IP17xx used "tag" and RTL8306 called it "vid". Change all to "vid" and annotate the description with the valid ID range. 2010-10-12 20:49:35 +00:00
rtl8306.c treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
rtl8366_smi.c strict_strtoul is obsolete, use kstrtoul instead 2013-07-27 09:23:18 +00:00
rtl8366_smi.h linux: generic: rtl836*: fix compilation with !CONFIG_OF 2012-12-15 13:32:02 +00:00
rtl8366rb.c generic: add port mirroring/monitoring capability to rtl8366rb switch 2013-06-04 13:25:52 +00:00
rtl8366s.c fix rtl8366s OF binding 2013-04-12 18:56:05 +00:00
rtl8367.c rtl8367: add support for configuring the VLAN FID 2013-08-12 17:25:25 +00:00
rtl8367b.c generic: rtl8367: add compatible string with vendor prefix 2013-04-06 17:19:31 +00:00
swconfig.c kernel: deny swconfig set requests for unprivileged users 2016-06-11 00:53:19 +02:00
swconfig_leds.c switch: allow Ethernet port LEDs to show specific port speeds only 2016-02-25 13:31:26 +00:00