diff options
| author | Alan Ross <alan@sleuthco.ai> | 2026-02-13 17:53:23 -0500 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2026-02-14 19:39:01 +0100 |
| commit | badb2474ca8bd6427255cf0a9886cdca49a5c3b7 (patch) | |
| tree | b1ac6266d45b91f4343c0bfe1d843f20ef196408 | |
| parent | 868040f8922382925e75bf3579f66cfcd2f080e7 (diff) | |
Extend the existing setuid guard in main() to also detect
file capabilities via getauxval(AT_SECURE).
Some container runtimes and minimal distributions grant cap_net_admin
via file capabilities (setcap cap_net_admin+ep /usr/sbin/nft)
rather than running through sudo. In that configuration the kernel
sets AT_SECURE and the dynamic linker strips LD_PRELOAD, but
getuid() == geteuid() so the existing setuid check passes.
CAP_NET_ADMIN is quite powerful; even without dlopen(), we should not
sanction setcap-installations — a control flow bug could still be
exploited as the capability-elevated user.
getauxval(AT_SECURE) is nonzero whenever the kernel has set AT_SECURE
in the auxiliary vector — this covers both classic setuid/setgid and
file capabilities. Exit with status 111, matching the existing
setuid behavior.
Signed-off-by: Alan Ross <alan@sleuthco.ai>
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | src/main.c | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -17,6 +17,7 @@ #include <getopt.h> #include <fcntl.h> #include <sys/types.h> +#include <sys/auxv.h> #include <nftables/libnftables.h> #include <utils.h> @@ -371,8 +372,8 @@ int main(int argc, char * const *argv) char *filename = NULL; unsigned int len; - /* nftables cannot be used with setuid in a safe way. */ - if (getuid() != geteuid()) + /* nftables cannot be used with setuid/setcap in a safe way. */ + if (getuid() != geteuid() || getauxval(AT_SECURE)) _exit(111); if (!nft_options_check(argc, argv)) |