mirror/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
bfbb23466adcbc77facea3046b44f75530079472
linux/net/netfilter
History
Pablo Neira Ayuso cba85b532e netfilter: fix export secctx error handling 
In 1ae4de0cdf, the secctx was exported
via the /proc/net/netfilter/nf_conntrack and ctnetlink interfaces
instead of the secmark.

That patch introduced the use of security_secid_to_secctx() which may
return a non-zero value on error.

In one of my setups, I have NF_CONNTRACK_SECMARK enabled but no
security modules. Thus, security_secid_to_secctx() returns a negative
value that results in the breakage of the /proc and `conntrack -L'
outputs. To fix this, we skip the inclusion of secctx if the
aforementioned function fails.

This patch also fixes the dynamic netlink message size calculation
if security_secid_to_secctx() returns an error, since its logic is
also wrong.

This problem exists in Linux kernel >= 2.6.37.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-01-06 11:25:00 -08:00
..
ipvs
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
2010-11-19 13:13:47 -08:00
core.c
netfilter: allow hooks to pass error code back up the stack
2010-11-17 10:54:34 -08:00
Kconfig
netfilter: fix module dependency issues with IPv6 defragmentation, ip6tables and xt_TPROXY
2010-10-25 13:58:36 -07:00
Makefile
netfilter: add xt_cpu match
2010-07-23 12:59:36 +02:00
nf_conntrack_acct.c
netfilter: complete the deprecation of CONFIG_NF_CT_ACCT
2010-06-25 14:46:56 +02:00
nf_conntrack_amanda.c
netfilter: cleanup printk messages
2010-05-13 15:02:08 +02:00
nf_conntrack_core.c
netfilter: fix the race when initializing nf_ct_expect_hash_rnd
2011-01-06 11:22:20 -08:00
nf_conntrack_ecache.c
net/netfilter: __rcu annotations
2010-08-19 17:18:01 -07:00
nf_conntrack_expect.c
netfilter: fix the race when initializing nf_ct_expect_hash_rnd
2011-01-06 11:22:20 -08:00
nf_conntrack_extend.c
Merge commit 'v2.6.36-rc7' into core/rcu
2010-10-07 09:43:45 +02:00
nf_conntrack_ftp.c
netfilter: cleanup printk messages
2010-05-13 15:02:08 +02:00
nf_conntrack_h323_asn1.c
[NETFILTER]: nf_conntrack_h323: constify and annotate H.323 helper
2008-01-31 19:28:07 -08:00
nf_conntrack_h323_main.c
net-next: remove useless union keyword
2010-06-10 23:31:35 -07:00
nf_conntrack_h323_types.c
[NETFILTER]: nf_conntrack_h323: constify and annotate H.323 helper
2008-01-31 19:28:07 -08:00
nf_conntrack_helper.c
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
2010-03-30 22:02:32 +09:00
nf_conntrack_irc.c
netfilter: cleanup printk messages
2010-05-13 15:02:08 +02:00
nf_conntrack_l3proto_generic.c
[NETFILTER]: nf_conntrack: use bool type in struct nf_conntrack_l3proto
2008-04-14 11:15:52 +02:00
nf_conntrack_netbios_ns.c
net-next: remove useless union keyword
2010-06-10 23:31:35 -07:00
nf_conntrack_netlink.c
netfilter: fix export secctx error handling
2011-01-06 11:25:00 -08:00
nf_conntrack_pptp.c
netfilter: nf_conntrack: add support for "conntrack zones"
2010-02-15 18:13:33 +01:00
nf_conntrack_proto_dccp.c
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
2010-03-30 22:02:32 +09:00
nf_conntrack_proto_generic.c
sysctl net: Remove unused binary sysctl code
2009-11-12 02:05:06 -08:00
nf_conntrack_proto_gre.c
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
2010-03-30 22:02:32 +09:00
nf_conntrack_proto_sctp.c
netfilter: cleanup printk messages
2010-05-13 15:02:08 +02:00
nf_conntrack_proto_tcp.c
Update broken web addresses in the kernel.
2010-10-18 11:03:14 +02:00
nf_conntrack_proto_udp.c
netfilter: nf_conntrack: pass template to l4proto ->error() handler
2010-02-15 17:45:08 +01:00
nf_conntrack_proto_udplite.c
netfilter: nf_conntrack: pass template to l4proto ->error() handler
2010-02-15 17:45:08 +01:00
nf_conntrack_proto.c
netfilter: fix nf_conntrack_l4proto_register()
2010-10-29 19:59:40 +02:00
nf_conntrack_sane.c
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
2010-03-30 22:02:32 +09:00
nf_conntrack_sip.c
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
2010-10-21 08:21:34 -07:00
nf_conntrack_standalone.c
netfilter: fix export secctx error handling
2011-01-06 11:25:00 -08:00
nf_conntrack_tftp.c
netfilter: cleanup printk messages
2010-05-13 15:02:08 +02:00
nf_internals.h
netfilter: cleanup printk messages
2010-05-13 15:02:08 +02:00
nf_log.c
net/netfilter: __rcu annotations
2010-08-19 17:18:01 -07:00
nf_queue.c
net/netfilter: __rcu annotations
2010-08-19 17:18:01 -07:00
nf_sockopt.c
net: Make setsockopt() optlen be unsigned.
2009-09-30 16:12:20 -07:00
nf_tproxy_core.c
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
2010-10-21 08:21:34 -07:00
nfnetlink_log.c
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
2010-06-15 13:49:24 -07:00
nfnetlink_queue.c
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
2010-06-15 13:49:24 -07:00
nfnetlink.c
netfilter: cleanup printk messages
2010-05-13 15:02:08 +02:00
x_tables.c
netfilter: unregister nf hooks, matches and targets in the reverse order
2010-10-04 22:24:12 +02:00
xt_CHECKSUM.c
netfilter: add CHECKSUM target
2010-07-15 17:20:46 +02:00
xt_CLASSIFY.c
netfilter: xtables: substitute temporary defines by final name
2010-05-11 18:31:17 +02:00
xt_cluster.c
netfilter: nf_conntrack: IPS_UNTRACKED bit
2010-06-08 16:09:52 +02:00
xt_comment.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_connbytes.c
netfilter: xt_connbytes: Force CT accounting to be enabled
2010-06-25 14:44:07 +02:00
xt_connlimit.c
netfilter: xtables: change hotdrop pointer to direct modification
2010-05-11 18:35:27 +02:00
xt_connmark.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_CONNSECMARK.c
netfilter: xtables: substitute temporary defines by final name
2010-05-11 18:31:17 +02:00
xt_conntrack.c
netfilter: nf_conntrack: IPS_UNTRACKED bit
2010-06-08 16:09:52 +02:00
xt_cpu.c
netfilter: add xt_cpu match
2010-07-23 12:59:36 +02:00
xt_CT.c
secmark: make secmark object handling generic
2010-10-21 10:12:48 +11:00
xt_dccp.c
netfilter: xtables: change hotdrop pointer to direct modification
2010-05-11 18:35:27 +02:00
xt_dscp.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_DSCP.c
netfilter: xtables: substitute temporary defines by final name
2010-05-11 18:31:17 +02:00
xt_esp.c
netfilter: xtables: change hotdrop pointer to direct modification
2010-05-11 18:35:27 +02:00
xt_hashlimit.c
netfilter: xt_hashlimit: use proto_ports_offset() to support AH message
2010-08-19 17:16:25 -07:00
xt_helper.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_hl.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_HL.c
netfilter: xtables: substitute temporary defines by final name
2010-05-11 18:31:17 +02:00
xt_IDLETIMER.c
netfilter: xt_IDLETIMER needs kdev_t.h
2010-06-22 08:13:31 +02:00
xt_iprange.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_ipvs.c
netfilter: remove duplicated include
2010-10-04 21:00:42 +02:00
xt_LED.c
netfilter: xtables: substitute temporary defines by final name
2010-05-11 18:31:17 +02:00
xt_length.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_limit.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_mac.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_mark.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_multiport.c
netfilter: xtables: change hotdrop pointer to direct modification
2010-05-11 18:35:27 +02:00
xt_NFLOG.c
netfilter: xtables: substitute temporary defines by final name
2010-05-11 18:31:17 +02:00
xt_NFQUEUE.c
netfilter: xtables: substitute temporary defines by final name
2010-05-11 18:31:17 +02:00
xt_NOTRACK.c
netfilter: nf_conntrack: IPS_UNTRACKED bit
2010-06-08 16:09:52 +02:00
xt_osf.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_owner.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_physdev.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_pkttype.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_policy.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_quota.c
xt_quota: report initial quota value instead of current value to userspace
2010-07-23 14:07:47 +02:00
xt_rateest.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_RATEEST.c
pkt_sched: gen_kill_estimator() rcu fixes
2010-06-11 18:37:08 -07:00
xt_realm.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_recent.c
llseek: automatically add .llseek fop
2010-10-15 15:53:27 +02:00
xt_repldata.h
netfilter: xtables: generate initial table on-demand
2010-02-10 17:50:47 +01:00
xt_sctp.c
netfilter: xt_sctp: use WORD_ROUND macro to calculate length of multiple of 4 bytes
2010-06-09 14:47:40 +02:00
xt_SECMARK.c
secmark: make secmark object handling generic
2010-10-21 10:12:48 +11:00
xt_socket.c
netfilter: xt_socket: Make tproto signed in socket_mt6_v1().
2010-10-28 12:59:53 -07:00
xt_state.c
netfilter: nf_conntrack: IPS_UNTRACKED bit
2010-06-08 16:09:52 +02:00
xt_statistic.c
netfilter: xt_statistic: remove nth_lock spinlock
2010-06-01 12:00:41 +02:00
xt_string.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_tcpmss.c
netfilter: xtables: change hotdrop pointer to direct modification
2010-05-11 18:35:27 +02:00
xt_TCPMSS.c
tcp: unify tcp flag macros
2010-06-15 11:56:19 -07:00
xt_TCPOPTSTRIP.c
netfilter: xtables: substitute temporary defines by final name
2010-05-11 18:31:17 +02:00
xt_tcpudp.c
netfilter: xtables: change hotdrop pointer to direct modification
2010-05-11 18:35:27 +02:00
xt_TEE.c
net: use the macros defined for the members of flowi
2010-11-17 12:27:45 -08:00
xt_time.c
netfilter: remove unnecessary returns from void function()s
2010-05-13 15:16:27 +02:00
xt_TPROXY.c
netfilter: fix module dependency issues with IPv6 defragmentation, ip6tables and xt_TPROXY
2010-10-25 13:58:36 -07:00
xt_TRACE.c
netfilter: xtables: substitute temporary defines by final name
2010-05-11 18:31:17 +02:00
xt_u32.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00