linux/net/decnet/netfilter, branch v3.16

net: Use netlink_ns_capable to verify the permisions of netlink messages

2014-04-24T17:44:54Z

It is possible by passing a netlink socket to a more privileged executable and then to fool that executable into writing to the socket data that happens to be valid netlink message to do something that privileged executable did not intend to do. To keep this from happening replace bare capable and ns_capable calls with netlink_capable, netlink_net_calls and netlink_ns_capable calls. Which act the same as the previous calls except they verify that the opener of the socket had the desired permissions as well. Reported-by: Andy Lutomirski Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller

netfilter: pass hook ops to hookfn

2013-10-14T09:29:31Z

Pass the hook ops to the hookfn to allow for generic hook functions. This change is required by nf_tables. Signed-off-by: Patrick McHardy Signed-off-by: Pablo Neira Ayuso

net-next: replace obsolete NLMSG_* with type safe nlmsg_*

2013-03-28T18:25:25Z

Signed-off-by: Hong Zhiguo Signed-off-by: David S. Miller

net/decnet/netfilter: remove depends on CONFIG_EXPERIMENTAL

2013-01-11T19:39:34Z

The CONFIG_EXPERIMENTAL config item has not carried much meaning for a while now and is almost always enabled by default. As agreed during the Linux kernel summit, remove it from any "depends on" lines in Kconfigs. CC: Pablo Neira Ayuso CC: Patrick McHardy CC: "David S. Miller" Signed-off-by: Kees Cook Acked-by: David S. Miller

netlink: hide struct module parameter in netlink_kernel_create

2012-09-08T22:46:30Z

This patch defines netlink_kernel_create as a wrapper function of __netlink_kernel_create to hide the struct module *me parameter (which seems to be THIS_MODULE in all existing netlink subsystems). Suggested by David S. Miller. Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller

netlink: add netlink_kernel_cfg parameter to netlink_kernel_create

2012-06-29T23:46:02Z

This patch adds the following structure: struct netlink_kernel_cfg { unsigned int groups; void (*input)(struct sk_buff *skb); struct mutex *cb_mutex; }; That can be passed to netlink_kernel_create to set optional configurations for netlink kernel sockets. I've populated this structure by looking for NULL and zero parameters at the existing code. The remaining parameters that always need to be set are still left in the original interface. That includes optional parameters for the netlink socket creation. This allows easy extensibility of this interface in the future. This patch also adapts all callers to use this new interface. Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller

decnet: dn_rtmsg: Move away from NLMSG_PUT().

2012-06-27T04:25:55Z

And use nlmsg_data() while we're here too. Also, remove pointless kernel log message. Signed-off-by: David S. Miller

netfilter: decnet: switch hook PFs to nfproto

2012-06-07T12:58:42Z

This patch is a cleanup. Use NFPROTO_* for consistency with other netfilter code. Signed-off-by: Alban Crequy Reviewed-by: Javier Martinez Canillas Reviewed-by: Vincent Sanders Signed-off-by: Pablo Neira Ayuso

net: Convert net_ratelimit uses to net__ratelimited

2012-05-15T17:45:03Z

Standardize the net core ratelimited logging functions. Coalesce formats, align arguments. Change a printk then vprintk sequence to use printf extension %pV. Signed-off-by: Joe Perches Signed-off-by: David S. Miller

security: remove the security_netlink_recv hook as it is equivalent to capable()

2012-01-05T23:53:01Z

Once upon a time netlink was not sync and we had to get the effective capabilities from the skb that was being received. Today we instead get the capabilities from the current task. This has rendered the entire purpose of the hook moot as it is now functionally equivalent to the capable() call. Signed-off-by: Eric Paris