Revert "libxtables: refuse to run under file capabilities"HEAD master

This reverts commit a2a733e9f0da779bbe009736644f4481e22ca3d1. The new iptables 1.8.12 release is broken on docker, pinpointed to the getauxval() change that apparently can be nonzero in presence of LSMs. That makes getauxval() useless for the purpose of detecting a setcap binary. So revert this. Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1830 Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2026-02-23 23:45:53 +0100
committer: Florian Westphal <fw@strlen.de> 2026-02-23 23:45:53 +0100
commit: 6fff7039c06f0084ed35d7a73a6784ef0c12619e (patch)
tree: 526491424397cc22c98da9ffef869124da93befc
parent: 342291e0ff56fb33bc62f9131ce2eab18d0b357d (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 51706dc4..1e1f4f78 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -31,7 +31,6 @@
 #include <netinet/ether.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
-#include <sys/auxv.h>
 #include <sys/statfs.h>
 #include <sys/types.h>
 #include <sys/utsname.h>
@@ -332,8 +331,8 @@ void xtables_announce_chain(const char *name)
 
 void xtables_init(void)
 {
-	/* xtables cannot be used with setuid/setcap in a safe way. */
-	if (getuid() != geteuid() || getauxval(AT_SECURE))
+	/* xtables cannot be used with setuid in a safe way. */
+	if (getuid() != geteuid())
 		_exit(111);
 
 	xtables_libdir = getenv("XTABLES_LIBDIR");
author	Florian Westphal <fw@strlen.de>	2026-02-23 23:45:53 +0100
committer	Florian Westphal <fw@strlen.de>	2026-02-23 23:45:53 +0100
commit	6fff7039c06f0084ed35d7a73a6784ef0c12619e (patch)
tree	526491424397cc22c98da9ffef869124da93befc
parent	342291e0ff56fb33bc62f9131ce2eab18d0b357d (diff)