diff options
| author | Herbert Xu <herbert@gondor.apana.org.au> | 2005-08-06 13:33:15 -0700 |
|---|---|---|
| committer | Chris Wright <chrisw@osdl.org> | 2005-08-29 09:55:11 -0700 |
| commit | 332b8bee402fe1076e50d08dfa535a9f0a349cba (patch) | |
| tree | cca6068ed79c6695c64bca4ec193a827c183913e /net | |
| parent | ab1e03b731781609a550360f295061ff57ca3dbb (diff) | |
| download | linux-stable-332b8bee402fe1076e50d08dfa535a9f0a349cba.tar.gz linux-stable-332b8bee402fe1076e50d08dfa535a9f0a349cba.tar.bz2 linux-stable-332b8bee402fe1076e50d08dfa535a9f0a349cba.zip | |
[PATCH] Restrict socket policy loading to CAP_NET_ADMIN - CAN-2005-2555
The interface needs much redesigning if we wish to allow
normal users to do this in some way.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/ip_sockglue.c | 3 | ||||
| -rw-r--r-- | net/ipv6/ipv6_sockglue.c | 3 |
2 files changed, 6 insertions, 0 deletions
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 47012b93cad2..370e98ae81ee 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -848,6 +848,9 @@ mc_msf_out: case IP_IPSEC_POLICY: case IP_XFRM_POLICY: + err = -EPERM; + if (!capable(CAP_NET_ADMIN)) + break; err = xfrm_user_policy(sk, optname, optval, optlen); break; diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 279ab86be662..855051ad1498 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -503,6 +503,9 @@ done: break; case IPV6_IPSEC_POLICY: case IPV6_XFRM_POLICY: + retv = -EPERM; + if (!capable(CAP_NET_ADMIN)) + break; retv = xfrm_user_policy(sk, optname, optval, optlen); break; |