diff options
| author | Eric Paris <eparis@redhat.com> | 2012-01-03 12:25:16 -0500 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2012-01-05 18:53:01 -0500 |
| commit | fd778461524849afd035679030ae8e8873c72b81 (patch) | |
| tree | 32a5849c1879413fce0307af304e372eaa8225b4 /net | |
| parent | 69f594a38967f4540ce7a29b3fd214e68a8330bd (diff) | |
security: remove the security_netlink_recv hook as it is equivalent to capable()
Once upon a time netlink was not sync and we had to get the effective
capabilities from the skb that was being received. Today we instead get
the capabilities from the current task. This has rendered the entire
purpose of the hook moot as it is now functionally equivalent to the
capable() call.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/rtnetlink.c | 2 | ||||
| -rw-r--r-- | net/decnet/netfilter/dn_rtmsg.c | 2 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_queue.c | 2 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6_queue.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink.c | 2 | ||||
| -rw-r--r-- | net/netlink/genetlink.c | 2 | ||||
| -rw-r--r-- | net/xfrm/xfrm_user.c | 2 |
7 files changed, 7 insertions, 7 deletions
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 99d9e953fe3..d3a62819671 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c | |||
| @@ -1931,7 +1931,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 1931 | sz_idx = type>>2; | 1931 | sz_idx = type>>2; |
| 1932 | kind = type&3; | 1932 | kind = type&3; |
| 1933 | 1933 | ||
| 1934 | if (kind != 2 && security_netlink_recv(skb, CAP_NET_ADMIN)) | 1934 | if (kind != 2 && !capable(CAP_NET_ADMIN)) |
| 1935 | return -EPERM; | 1935 | return -EPERM; |
| 1936 | 1936 | ||
| 1937 | if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) { | 1937 | if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) { |
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c index 69975e0bcde..1531135130d 100644 --- a/net/decnet/netfilter/dn_rtmsg.c +++ b/net/decnet/netfilter/dn_rtmsg.c | |||
| @@ -108,7 +108,7 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb) | |||
| 108 | if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len) | 108 | if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len) |
| 109 | return; | 109 | return; |
| 110 | 110 | ||
| 111 | if (security_netlink_recv(skb, CAP_NET_ADMIN)) | 111 | if (!capable(CAP_NET_ADMIN)) |
| 112 | RCV_SKB_FAIL(-EPERM); | 112 | RCV_SKB_FAIL(-EPERM); |
| 113 | 113 | ||
| 114 | /* Eventually we might send routing messages too */ | 114 | /* Eventually we might send routing messages too */ |
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c index e59aabd0eae..ffabb267471 100644 --- a/net/ipv4/netfilter/ip_queue.c +++ b/net/ipv4/netfilter/ip_queue.c | |||
| @@ -430,7 +430,7 @@ __ipq_rcv_skb(struct sk_buff *skb) | |||
| 430 | if (type <= IPQM_BASE) | 430 | if (type <= IPQM_BASE) |
| 431 | return; | 431 | return; |
| 432 | 432 | ||
| 433 | if (security_netlink_recv(skb, CAP_NET_ADMIN)) | 433 | if (!capable(CAP_NET_ADMIN)) |
| 434 | RCV_SKB_FAIL(-EPERM); | 434 | RCV_SKB_FAIL(-EPERM); |
| 435 | 435 | ||
| 436 | spin_lock_bh(&queue_lock); | 436 | spin_lock_bh(&queue_lock); |
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c index e63c3972a73..5e5ce778be7 100644 --- a/net/ipv6/netfilter/ip6_queue.c +++ b/net/ipv6/netfilter/ip6_queue.c | |||
| @@ -431,7 +431,7 @@ __ipq_rcv_skb(struct sk_buff *skb) | |||
| 431 | if (type <= IPQM_BASE) | 431 | if (type <= IPQM_BASE) |
| 432 | return; | 432 | return; |
| 433 | 433 | ||
| 434 | if (security_netlink_recv(skb, CAP_NET_ADMIN)) | 434 | if (!capable(CAP_NET_ADMIN)) |
| 435 | RCV_SKB_FAIL(-EPERM); | 435 | RCV_SKB_FAIL(-EPERM); |
| 436 | 436 | ||
| 437 | spin_lock_bh(&queue_lock); | 437 | spin_lock_bh(&queue_lock); |
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 1905976b513..e6c2b8f3218 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c | |||
| @@ -130,7 +130,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 130 | const struct nfnetlink_subsystem *ss; | 130 | const struct nfnetlink_subsystem *ss; |
| 131 | int type, err; | 131 | int type, err; |
| 132 | 132 | ||
| 133 | if (security_netlink_recv(skb, CAP_NET_ADMIN)) | 133 | if (!capable(CAP_NET_ADMIN)) |
| 134 | return -EPERM; | 134 | return -EPERM; |
| 135 | 135 | ||
| 136 | /* All the messages must at least contain nfgenmsg */ | 136 | /* All the messages must at least contain nfgenmsg */ |
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c index 482fa571b4e..05fedbf489a 100644 --- a/net/netlink/genetlink.c +++ b/net/netlink/genetlink.c | |||
| @@ -516,7 +516,7 @@ static int genl_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 516 | return -EOPNOTSUPP; | 516 | return -EOPNOTSUPP; |
| 517 | 517 | ||
| 518 | if ((ops->flags & GENL_ADMIN_PERM) && | 518 | if ((ops->flags & GENL_ADMIN_PERM) && |
| 519 | security_netlink_recv(skb, CAP_NET_ADMIN)) | 519 | !capable(CAP_NET_ADMIN)) |
| 520 | return -EPERM; | 520 | return -EPERM; |
| 521 | 521 | ||
| 522 | if (nlh->nlmsg_flags & NLM_F_DUMP) { | 522 | if (nlh->nlmsg_flags & NLM_F_DUMP) { |
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 0256b8a0a7c..71de86698ef 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
| @@ -2290,7 +2290,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 2290 | link = &xfrm_dispatch[type]; | 2290 | link = &xfrm_dispatch[type]; |
| 2291 | 2291 | ||
| 2292 | /* All operations require privileges, even GET */ | 2292 | /* All operations require privileges, even GET */ |
| 2293 | if (security_netlink_recv(skb, CAP_NET_ADMIN)) | 2293 | if (!capable(CAP_NET_ADMIN)) |
| 2294 | return -EPERM; | 2294 | return -EPERM; |
| 2295 | 2295 | ||
| 2296 | if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || | 2296 | if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || |