Skip to content

Commit

Permalink
---
Browse files Browse the repository at this point in the history
yaml
---
r: 14153
b: refs/heads/master
c: 37d2e7a
h: refs/heads/master
i:
  14151: 009e0bb
v: v3
  • Loading branch information
Harald Welte authored and David S. Miller committed Nov 14, 2005
1 parent cad92fe commit 3ca7602
Show file tree
Hide file tree
Showing 6 changed files with 25 additions and 42 deletions.
2 changes: 1 addition & 1 deletion [refs]
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
refs/heads/master: 3746a2b1402e7933c7f1eabdce384b8454dc2ef7
refs/heads/master: 37d2e7a20d745035b600f1a6be56cbb9c7259419
1 change: 0 additions & 1 deletion trunk/include/linux/netfilter/nfnetlink.h
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,6 @@ struct nfnl_callback
{
int (*call)(struct sock *nl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nfattr *cda[], int *errp);
kernel_cap_t cap_required; /* capabilities required for this msg */
u_int16_t attr_count; /* number of nfattr's */
};

Expand Down
21 changes: 7 additions & 14 deletions trunk/net/ipv4/netfilter/ip_conntrack_netlink.c
Original file line number Diff line number Diff line change
Expand Up @@ -1543,29 +1543,22 @@ static struct notifier_block ctnl_notifier_exp = {

static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
[IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
.attr_count = CTA_MAX,
.cap_required = CAP_NET_ADMIN },
.attr_count = CTA_MAX, },
[IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
.attr_count = CTA_MAX,
.cap_required = CAP_NET_ADMIN },
.attr_count = CTA_MAX, },
[IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
.attr_count = CTA_MAX,
.cap_required = CAP_NET_ADMIN },
.attr_count = CTA_MAX, },
[IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
.attr_count = CTA_MAX,
.cap_required = CAP_NET_ADMIN },
.attr_count = CTA_MAX, },
};

static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
[IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
.attr_count = CTA_EXPECT_MAX,
.cap_required = CAP_NET_ADMIN },
.attr_count = CTA_EXPECT_MAX, },
[IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
.attr_count = CTA_EXPECT_MAX,
.cap_required = CAP_NET_ADMIN },
.attr_count = CTA_EXPECT_MAX, },
[IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
.attr_count = CTA_EXPECT_MAX,
.cap_required = CAP_NET_ADMIN },
.attr_count = CTA_EXPECT_MAX, },
};

static struct nfnetlink_subsystem ctnl_subsys = {
Expand Down
28 changes: 12 additions & 16 deletions trunk/net/netfilter/nfnetlink.c
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,12 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
NFNL_SUBSYS_ID(nlh->nlmsg_type),
NFNL_MSG_TYPE(nlh->nlmsg_type));

if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
DEBUGP("missing CAP_NET_ADMIN\n");
*errp = -EPERM;
return -1;
}

/* Only requests are handled by kernel now. */
if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) {
DEBUGP("received non-request message\n");
Expand All @@ -240,15 +246,12 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
ss = nfnetlink_get_subsys(type);
if (!ss) {
#ifdef CONFIG_KMOD
if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
/* don't call nfnl_shunlock, since it would reenter
* with further packet processing */
up(&nfnl_sem);
request_module("nfnetlink-subsys-%d",
NFNL_SUBSYS_ID(type));
nfnl_shlock();
ss = nfnetlink_get_subsys(type);
}
/* don't call nfnl_shunlock, since it would reenter
* with further packet processing */
up(&nfnl_sem);
request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));
nfnl_shlock();
ss = nfnetlink_get_subsys(type);
if (!ss)
#endif
goto err_inval;
Expand All @@ -260,13 +263,6 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
goto err_inval;
}

if (nc->cap_required &&
!cap_raised(NETLINK_CB(skb).eff_cap, nc->cap_required)) {
DEBUGP("permission denied for type %d\n", type);
*errp = -EPERM;
return -1;
}

{
u_int16_t attr_count =
ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count;
Expand Down
6 changes: 2 additions & 4 deletions trunk/net/netfilter/nfnetlink_log.c
Original file line number Diff line number Diff line change
Expand Up @@ -862,11 +862,9 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,

static struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = {
[NFULNL_MSG_PACKET] = { .call = nfulnl_recv_unsupp,
.attr_count = NFULA_MAX,
.cap_required = CAP_NET_ADMIN, },
.attr_count = NFULA_MAX, },
[NFULNL_MSG_CONFIG] = { .call = nfulnl_recv_config,
.attr_count = NFULA_CFG_MAX,
.cap_required = CAP_NET_ADMIN },
.attr_count = NFULA_CFG_MAX, },
};

static struct nfnetlink_subsystem nfulnl_subsys = {
Expand Down
9 changes: 3 additions & 6 deletions trunk/net/netfilter/nfnetlink_queue.c
Original file line number Diff line number Diff line change
Expand Up @@ -931,14 +931,11 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,

static struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = {
[NFQNL_MSG_PACKET] = { .call = nfqnl_recv_unsupp,
.attr_count = NFQA_MAX,
.cap_required = CAP_NET_ADMIN },
.attr_count = NFQA_MAX, },
[NFQNL_MSG_VERDICT] = { .call = nfqnl_recv_verdict,
.attr_count = NFQA_MAX,
.cap_required = CAP_NET_ADMIN },
.attr_count = NFQA_MAX, },
[NFQNL_MSG_CONFIG] = { .call = nfqnl_recv_config,
.attr_count = NFQA_CFG_MAX,
.cap_required = CAP_NET_ADMIN },
.attr_count = NFQA_CFG_MAX, },
};

static struct nfnetlink_subsystem nfqnl_subsys = {
Expand Down

0 comments on commit 3ca7602

Please sign in to comment.