summaryrefslogtreecommitdiff
path: root/net/netfilter
diff options
context:
space:
mode:
authorRichard Guy Briggs <rgb@redhat.com>2014-04-22 21:31:54 -0400
committerDavid S. Miller <davem@davemloft.net>2014-04-22 21:42:26 -0400
commit4f520900522fd596e336c07e9aafd5b7a9564235 (patch)
tree324137d33d9fe83adba3b0a96026f645fe7b12f1 /net/netfilter
parentbfe4bc71c64a34813a7bde0ad4d28486679ac3fe (diff)
netlink: have netlink per-protocol bind function return an error code.
Have the netlink per-protocol optional bind function return an int error code rather than void to signal a failure. This will enable netlink protocols to perform extra checks including capabilities and permissions verifications when updating memberships in multicast groups. In netlink_bind() and netlink_setsockopt() the call to the per-protocol bind function was moved above the multicast group update to prevent any access to the multicast socket groups before checking with the per-protocol bind function. This will enable the per-protocol bind function to be used to check permissions which could be denied before making them available, and to avoid the messy job of undoing the addition should the per-protocol bind function fail. The netfilter subsystem seems to be the only one currently using the per-protocol bind function. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/nfnetlink.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 0df800a454ec..6e42dcfad40a 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -400,7 +400,7 @@ static void nfnetlink_rcv(struct sk_buff *skb)
}
#ifdef CONFIG_MODULES
-static void nfnetlink_bind(int group)
+static int nfnetlink_bind(int group)
{
const struct nfnetlink_subsystem *ss;
int type = nfnl_group2type[group];
@@ -410,6 +410,7 @@ static void nfnetlink_bind(int group)
rcu_read_unlock();
if (!ss)
request_module("nfnetlink-subsys-%d", type);
+ return 0;
}
#endif