GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/2196641/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2196641,
    "url": "http://patchwork.ozlabs.org/api/patches/2196641/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260215170453.20653-1-alan@sleuthco.ai/",
    "project": {
        "id": 26,
        "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api",
        "name": "Netfilter Development",
        "link_name": "netfilter-devel",
        "list_id": "netfilter-devel.vger.kernel.org",
        "list_email": "netfilter-devel@vger.kernel.org",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260215170453.20653-1-alan@sleuthco.ai>",
    "list_archive_url": null,
    "date": "2026-02-15T17:04:53",
    "name": "ipset: refuse to run under file capabilities",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "74040e89bbd09cfeff9823c5eb8bc93557efe17e",
    "submitter": {
        "id": 92640,
        "url": "http://patchwork.ozlabs.org/api/people/92640/?format=api",
        "name": "Alan Ross",
        "email": "alan@sleuthco.ai"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260215170453.20653-1-alan@sleuthco.ai/mbox/",
    "series": [
        {
            "id": 492229,
            "url": "http://patchwork.ozlabs.org/api/series/492229/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=492229",
            "date": "2026-02-15T17:04:53",
            "name": "ipset: refuse to run under file capabilities",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/492229/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2196641/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2196641/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "\n <netfilter-devel+bounces-10786-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "netfilter-devel@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=sleuthco.ai header.i=@sleuthco.ai header.a=rsa-sha256\n header.s=google header.b=ghzfrOo7;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-10786-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=sleuthco.ai header.i=@sleuthco.ai\n header.b=\"ghzfrOo7\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.160.169",
            "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=sleuthco.ai",
            "smtp.subspace.kernel.org;\n spf=fail smtp.mailfrom=sleuthco.ai"
        ],
        "Received": [
            "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fDXMq4Hg6z1xpl\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 16 Feb 2026 04:05:11 +1100 (AEDT)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 9C6A2301B903\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 15 Feb 2026 17:05:06 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id C2C34255F2D;\n\tSun, 15 Feb 2026 17:05:04 +0000 (UTC)",
            "from mail-qt1-f169.google.com (mail-qt1-f169.google.com\n [209.85.160.169])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id C213E1E3DE5\n\tfor <netfilter-devel@vger.kernel.org>; Sun, 15 Feb 2026 17:05:02 +0000 (UTC)",
            "by mail-qt1-f169.google.com with SMTP id\n d75a77b69052e-506aa685d62so11900941cf.0\n        for <netfilter-devel@vger.kernel.org>;\n Sun, 15 Feb 2026 09:05:02 -0800 (PST)",
            "from localhost.localdomain\n ([2601:195:c200:c890:8d78:275e:d0a0:a365])\n        by smtp.gmail.com with ESMTPSA id\n d75a77b69052e-506849fbb9dsm118789881cf.15.2026.02.15.09.05.00\n        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n        Sun, 15 Feb 2026 09:05:01 -0800 (PST)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1771175104; cv=none;\n b=NXydJNi7nis+3LOtJGo85NxFDr9lcqQ4piScAHz+yS6D2m7VTRfkmZGCBywL1ywb5MHig/KJqUDUbA9HTIrS01JR9B0f4LeXHWEcp/g+r4H7dBCeDiDQqsR94uQApE2KNnKNwau8GcxMSuYZtbFOpfM7+XjhsUX5iQfPYWrgp7g=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1771175104; c=relaxed/simple;\n\tbh=f+Tyh2hLJ+Cne3xUFe0xnTyFnLfXyVQunrlA9JTEsbY=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=JkBMz0cfdBINbTdCqK/f0E6A5AEq53JRnsm5mCcSMb3emCM0UCKGuoEncFtvw73Z1hK79HICXCNiGiG9ioHYiqBhZ6FdnrM+OzXrBNmhl76bhfhi+rgce+lsM3K9ZdEj76C4S1bmgGlGw2g/KEAE0WslP/VBPeiyqLSwlhfy22c=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=sleuthco.ai;\n spf=fail smtp.mailfrom=sleuthco.ai;\n dkim=pass (2048-bit key) header.d=sleuthco.ai header.i=@sleuthco.ai\n header.b=ghzfrOo7; arc=none smtp.client-ip=209.85.160.169",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=sleuthco.ai; s=google; t=1771175101; x=1771779901;\n darn=vger.kernel.org;\n        h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n         :to:from:from:to:cc:subject:date:message-id:reply-to;\n        bh=HPsdSB/iF5HKTkmUBRnibeO6Imspxqd/mhWEIPbcdnw=;\n        b=ghzfrOo7RT5MGmw54Qzjsduq/+hkCx+xmAIh17ykwEpBdk28H6ksdpgWDl3UXLIjFP\n         4lU3a0vIJGOiIumtVHOkLlhoiFOwjYOWyvHEyz7cBzAP5uaqCG4LZ0iLbB0ddRfJYWWE\n         Dw7z/NtyFaKOupgNdlqi/fWtUBVwjgzXdq8V9pF+09MmWYY5MQ9Jy/URPTkZeNLDYqIs\n         nArTq/MhEUTaNq7RTcAofMrU095R/kgMa7Y0WSxrsPI/mAfc0fKozGPRTM/qfkP96NGj\n         PSrjAI8HZQYQvmdp0YkTNj/AFuWoqAWlVt31BE4Cfm+WMdiWwWYO2bwIUpG692DHQuJa\n         06cw==",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20230601; t=1771175101; x=1771779901;\n        h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=HPsdSB/iF5HKTkmUBRnibeO6Imspxqd/mhWEIPbcdnw=;\n        b=Lj9FRUhbguFn8S8MKsgJl5H76dWFaoqzB6zmjSnVa4dgJjfkqXtY5qlrxfM8BKLKoU\n         p2mWUJG/+zuFzDr3TVHr4DJxqUFbLXkcTAckfIbepZeiGEAfSyMi9Wjr3GgOiKsoYCkk\n         N/s6dCMomDtLZr9ttGAMDEtWLCeTl8joVjIgLQme+o+WQAP4E6JeCS5CBB390F7+l2RM\n         GW+HI+JJcH1RiM7ztd+e2Z7iBMydsU8znUMYWJTCJPgbQfQrcAVksuyDQaG4mx5mSSr2\n         nuS9hw7zJ0B6GU4YBfu5muYKGK8/1ba45LhBdBgkX3UR6KQMcD3lVf0xXqRU6hEQ2JMf\n         ZaPg==",
        "X-Gm-Message-State": "AOJu0Yw9HWhv8WK1/PmGk3xRvAkuNJ0qb8YKPofab+uAFoRU2r6Ut+/2\n\tNEniks2K7EUhs0mheA5eBomKP4eYluMyzvleLPQFImMtvFToHeDIcz9kKRlpbphC+ZK1ACENdRu\n\t0hAab9n8t",
        "X-Gm-Gg": "AZuq6aJL5JGhFrOWSx4bT6dGPhHqM25waFlMrxYLhwyzhdd57e7vu8AjoiKD+Fv7KQ+\n\t5L4KzIcFuj/RafW8zlPUrhoWnZX8Bnamy3x/Z58htmkdeXR59Ho7HAYZgFPVzDp7rsCFubXAfqS\n\tsBcVDCb1RCoeMAG7tSdfCBi+ls4/B/wBc4526+oFfgaTt3VE8EdPlBMV1N7y3CwADLVOCJEg/5n\n\tNbYBneo2wxYx7AhyDM8ZXkzCKfnbhSI8YcSrxXeiEEEFScfIGD2ou3EPWI1nywfRhN9y4Xf33zX\n\tgYgJqIpmbB718SoPvArTZFATQCFO0201cqZjQ73xImLg/ONLLekMkHBIo1ZBrzlwjAYK3/rMOYU\n\ttLZ9J9HnvLUOG36EqoZbNuPx+YA5IFPDraFVAVeSiDayXPH/38F4yLerxjqeYoK6cV7PYAeRRcl\n\tE0wzImWbb2U3fbsxb8eO2aYawVIVbXvnAReFy0xIE=",
        "X-Received": "by 2002:ac8:5713:0:b0:4f1:abb3:7571 with SMTP id\n d75a77b69052e-506a829184cmr102136821cf.33.1771175101367;\n        Sun, 15 Feb 2026 09:05:01 -0800 (PST)",
        "From": "Alan Ross <alan@sleuthco.ai>",
        "To": "netfilter-devel@vger.kernel.org",
        "Cc": "kadlec@netfilter.org,\n\tpablo@netfilter.org,\n\tAlan Ross <alan@sleuthco.ai>",
        "Subject": "[PATCH] ipset: refuse to run under file capabilities",
        "Date": "Sun, 15 Feb 2026 12:04:53 -0500",
        "Message-ID": "<20260215170453.20653-1-alan@sleuthco.ai>",
        "X-Mailer": "git-send-email 2.52.0.windows.1",
        "Precedence": "bulk",
        "X-Mailing-List": "netfilter-devel@vger.kernel.org",
        "List-Id": "<netfilter-devel.vger.kernel.org>",
        "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit"
    },
    "content": "Refuse to run when ipset has been given file capabilities\n(e.g. setcap cap_net_admin+ep) or is setuid/setgid.\n\nRunning networking administration tools with elevated privileges via\nfile capabilities exposes the same risks as setuid: any environment\nvariable or file-descriptor manipulation the kernel does not scrub can\nbe leveraged by an unprivileged caller.\n\nAdd a guard at the very top of main() that calls _exit(111) when\ngetuid() != geteuid(), getgid() != getegid(), or\ngetauxval(AT_SECURE) is set.\n\nThis follows the same pattern recently applied to iptables\n(commit a2a733e9f0da) and nftables (commit badb2474ca8b).\n\nSigned-off-by: Alan Ross <alan@sleuthco.ai>\n---\n src/ipset.c | 7 +++++++\n 1 file changed, 7 insertions(+)",
    "diff": "diff --git a/src/ipset.c b/src/ipset.c\nindex d7733bf..fff1ca6 100644\n--- a/src/ipset.c\n+++ b/src/ipset.c\n@@ -11,11 +11,13 @@\n #include <stdio.h>\t\t\t/* fprintf */\n #include <stdlib.h>\t\t\t/* exit */\n #include <string.h>\t\t\t/* strcmp */\n+#include <unistd.h>\t\t\t/* getuid, getgid, _exit */\n \n #include <config.h>\n #include <libipset/ipset.h>\t\t/* ipset library */\n #include <libipset/xlate.h>\t\t/* translate to nftables */\n #include <libgen.h>\n+#include <sys/auxv.h>\t\t\t/* getauxval */\n \n int\n main(int argc, char *argv[])\n@@ -23,6 +25,11 @@ main(int argc, char *argv[])\n \tstruct ipset *ipset;\n \tint ret;\n \n+\t/* Refuse to run under setuid/setgid or file capabilities */\n+\tif (getuid() != geteuid() || getgid() != getegid() ||\n+\t    getauxval(AT_SECURE))\n+\t\t_exit(111);\n+\n \t/* Load set types */\n \tipset_load_types();\n \n",
    "prefixes": []
}