git://ftp.safe.ca / safe / jmp / linux-2.6 / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: aaff23a) | patch
netfilter: ebtables: enforce CAP_NET_ADMIN
authorFlorian Westphal <fwestphal@astaro.com>
Fri, 8 Jan 2010 16:31:24 +0000 (17:31 +0100)
committerPatrick McHardy <kaber@trash.net>
Fri, 8 Jan 2010 16:31:24 +0000 (17:31 +0100)
commitdce766af541f6605fa9889892c0280bab31c66ab
treefd9a11a09bf038336429f33dc092333aa745edb1tree | snapshot
parentaaff23a95aea5f000895f50d90e91f1e2f727002commit | diff
netfilter: ebtables: enforce CAP_NET_ADMIN

normal users are currently allowed to set/modify ebtables rules.
Restrict it to processes with CAP_NET_ADMIN.

Note that this cannot be reproduced with unmodified ebtables binary
because it uses SOCK_RAW.

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy <kaber@trash.net>
net/bridge/netfilter/ebtables.c diff | blob | history
Full containers within linux kernel