linux/net/ipv4/netfilter
Björn Steinbrink 82fac0542e [NETFILTER]: Missing check for CAP_NET_ADMIN in iptables compat layer
The 32bit compatibility layer has no CAP_NET_ADMIN check in
compat_do_ipt_get_ctl, which for example allows to list the current
iptables rules even without having that capability (the non-compat
version requires it). Other capabilities might be required to exploit
the bug (eg. CAP_NET_RAW to get the nfnetlink socket?), so a plain user
can't exploit it, but a setup actually using the posix capability system
might very well hit such a constellation of granted capabilities.

Signed-off-by: Björn Steinbrink <B.Steinbrink@gmx.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-10-20 00:21:10 -07:00
..
arp_tables.c [NETFILTER]: arp_tables: missing unregistration on module unload 2006-10-15 23:14:07 -07:00
arpt_mangle.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
arptable_filter.c [NETFILTER]: x_tables: remove unused argument to target functions 2006-09-22 14:55:33 -07:00
ip_conntrack_amanda.c [NETFILTER]: conntrack annotations 2006-09-28 18:03:00 -07:00
ip_conntrack_core.c [NETFILTER]: conntrack annotations 2006-09-28 18:03:00 -07:00
ip_conntrack_ftp.c [NETFILTER]: conntrack annotations 2006-09-28 18:03:00 -07:00
ip_conntrack_helper_h323_asn1.c [NETFILTER]: H.323 helper: fix sequence extension parsing 2006-05-23 15:15:10 -07:00
ip_conntrack_helper_h323_types.c [NETFILTER]: H.323 helper: Add support for Call Forwarding 2006-06-17 21:29:11 -07:00
ip_conntrack_helper_h323.c [NETFILTER]: h323 annotations 2006-09-28 18:03:03 -07:00
ip_conntrack_helper_pptp.c [NETFILTER]: conntrack annotations 2006-09-28 18:03:00 -07:00
ip_conntrack_irc.c [NETFILTER]: conntrack annotations 2006-09-28 18:03:00 -07:00
ip_conntrack_netbios_ns.c [NETFILTER]: conntrack annotations 2006-09-28 18:03:00 -07:00
ip_conntrack_netlink.c [NETFILTER]: ctnetlink: Remove debugging messages 2006-10-15 23:14:11 -07:00
ip_conntrack_proto_generic.c [NETFILTER]: Change tunables to __read_mostly 2006-09-22 15:18:54 -07:00
ip_conntrack_proto_gre.c [NETFILTER]: PPTP conntrack: fix whitespace errors 2006-09-22 15:20:07 -07:00
ip_conntrack_proto_icmp.c [NETFILTER]: conntrack annotations 2006-09-28 18:03:00 -07:00
ip_conntrack_proto_sctp.c [NETFILTER]: conntrack annotations 2006-09-28 18:03:00 -07:00
ip_conntrack_proto_tcp.c [NETFILTER]: conntrack annotations 2006-09-28 18:03:00 -07:00
ip_conntrack_proto_udp.c [NETFILTER]: Change tunables to __read_mostly 2006-09-22 15:18:54 -07:00
ip_conntrack_sip.c [NETFILTER]: conntrack annotations 2006-09-28 18:03:00 -07:00
ip_conntrack_standalone.c [NETFILTER]: kill listhelp.h 2006-09-22 15:19:45 -07:00
ip_conntrack_tftp.c [NETFILTER]: conntrack annotations 2006-09-28 18:03:00 -07:00
ip_nat_amanda.c [NETFILTER]: Rename init functions. 2006-03-28 17:02:48 -08:00
ip_nat_core.c [NETFILTER]: NAT annotations 2006-09-28 18:03:01 -07:00
ip_nat_ftp.c [NETFILTER]: NAT annotations 2006-09-28 18:03:01 -07:00
ip_nat_helper_h323.c [NETFILTER]: h323 annotations 2006-09-28 18:03:03 -07:00
ip_nat_helper_pptp.c [NETFILTER]: NAT annotations 2006-09-28 18:03:01 -07:00
ip_nat_helper.c [NETFILTER]: NAT annotations 2006-09-28 18:03:01 -07:00
ip_nat_irc.c [NETFILTER]: Rename init functions. 2006-03-28 17:02:48 -08:00
ip_nat_proto_gre.c [NETFILTER]: PPTP conntrack: get rid of unnecessary byte order conversions 2006-09-22 15:20:08 -07:00
ip_nat_proto_icmp.c [NETFILTER]: NAT annotations 2006-09-28 18:03:01 -07:00
ip_nat_proto_tcp.c [NETFILTER]: NAT annotations 2006-09-28 18:03:01 -07:00
ip_nat_proto_udp.c [NETFILTER]: NAT annotations 2006-09-28 18:03:01 -07:00
ip_nat_proto_unknown.c [NETFILTER]: Remove unused function from NAT protocol helpers 2006-01-10 12:54:34 -08:00
ip_nat_rule.c [NETFILTER]: NAT annotations 2006-09-28 18:03:01 -07:00
ip_nat_sip.c [NETFILTER]: NAT annotations 2006-09-28 18:03:01 -07:00
ip_nat_snmp_basic.c [NETFILTER]: NAT annotations 2006-09-28 18:03:01 -07:00
ip_nat_standalone.c [NETFILTER]: add type parameter to ip_route_me_harder 2006-10-04 00:30:54 -07:00
ip_nat_tftp.c [NETFILTER]: Rename init functions. 2006-03-28 17:02:48 -08:00
ip_queue.c [NETFILTER]: make some netfilter globals __read_mostly 2006-09-22 15:19:58 -07:00
ip_tables.c [NETFILTER]: Missing check for CAP_NET_ADMIN in iptables compat layer 2006-10-20 00:21:10 -07:00
ipt_addrtype.c [IPV4]: inet_addr_type() annotations 2006-09-28 18:01:07 -07:00
ipt_ah.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
ipt_CLUSTERIP.c [NETFILTER]: ipt annotations 2006-09-28 18:03:02 -07:00
ipt_ecn.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
ipt_ECN.c [NETFILTER]: ipt_ECN/ipt_TOS: fix incorrect checksum update 2006-10-15 23:14:08 -07:00
ipt_hashlimit.c [NETFILTER]: ipt annotations 2006-09-28 18:03:02 -07:00
ipt_iprange.c [NETFILTER]: Rename init functions. 2006-03-28 17:02:48 -08:00
ipt_LOG.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
ipt_MASQUERADE.c [IPV4]: inet_select_addr() annotations 2006-09-28 17:54:08 -07:00
ipt_NETMAP.c [NETFILTER]: ipt annotations 2006-09-28 18:03:02 -07:00
ipt_owner.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
ipt_recent.c [NETFILTER]: ipt annotations 2006-09-28 18:03:02 -07:00
ipt_REDIRECT.c [IPV4]: annotate struct in_ifaddr 2006-09-28 18:00:55 -07:00
ipt_REJECT.c [NETFILTER]: ipt_REJECT: remove largely duplicate route_reverse function 2006-10-04 00:30:56 -07:00
ipt_SAME.c [NETFILTER]: ipt annotations 2006-09-28 18:03:02 -07:00
ipt_TCPMSS.c [NETFILTER]: ipt annotations 2006-09-28 18:03:02 -07:00
ipt_tos.c [NETFILTER]: Rename init functions. 2006-03-28 17:02:48 -08:00
ipt_TOS.c [NETFILTER]: ipt_ECN/ipt_TOS: fix incorrect checksum update 2006-10-15 23:14:08 -07:00
ipt_ttl.c [NETFILTER]: Rename init functions. 2006-03-28 17:02:48 -08:00
ipt_TTL.c [NETFILTER]: ipt annotations 2006-09-28 18:03:02 -07:00
ipt_ULOG.c [NETFILTER]: x_tables: remove unused size argument to check/destroy functions 2006-09-22 14:55:34 -07:00
iptable_filter.c [NETFILTER]: x_tables: remove unused argument to target functions 2006-09-22 14:55:33 -07:00
iptable_mangle.c [NETFILTER]: add type parameter to ip_route_me_harder 2006-10-04 00:30:54 -07:00
iptable_raw.c [NETFILTER]: x_tables: remove unused argument to target functions 2006-09-22 14:55:33 -07:00
Kconfig more misc typo fixes 2006-10-03 22:34:14 +02:00
Makefile [NETFILTER]: x_tables: replace IPv4 DSCP target by address family independent version 2006-09-22 14:55:22 -07:00
nf_conntrack_l3proto_ipv4.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
nf_conntrack_proto_icmp.c [NETFILTER]: Change tunables to __read_mostly 2006-09-22 15:18:54 -07:00