|
Line
Link Here
|
|
[IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN. |
|
[IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN. |
| 1 |
|
1 |
|
| 2 |
The interface needs much redesigning if we wish to allow |
2 |
The interface needs much redesigning if we wish to allow |
| 3 |
normal users to do this in some way. |
3 |
normal users to do this in some way. |
| 4 |
|
4 |
|
| 5 |
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
5 |
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
| 6 |
Signed-off-by: David S. Miller <davem@davemloft.net> |
6 |
Signed-off-by: David S. Miller <davem@davemloft.net> |
| 7 |
-- |
7 |
++ b/net/ipv4/ip_sockglue.c |
| 8 |
-- a/net/ipv4/ip_sockglue.c |
|
|
|
Lines 848-853
mc_msf_out:
Link Here
|
| 848 |
|
848 |
|
| 849 |
case IP_IPSEC_POLICY: |
849 |
case IP_IPSEC_POLICY: |
| 850 |
case IP_XFRM_POLICY: |
850 |
case IP_XFRM_POLICY: |
|
|
851 |
err = -EPERM; |
| 852 |
if (!capable(CAP_NET_ADMIN)) |
| 853 |
break; |
| 851 |
err = xfrm_user_policy(sk, optname, optval, optlen); |
854 |
err = xfrm_user_policy(sk, optname, optval, optlen); |
| 852 |
break; |
855 |
break; |
| 853 |
|
856 |
|
| 854 |
-- a/net/ipv6/ipv6_sockglue.c |
857 |
++ b/net/ipv6/ipv6_sockglue.c |
|
Lines 504-509
done:
Link Here
|
| 504 |
break; |
504 |
break; |
| 505 |
case IPV6_IPSEC_POLICY: |
505 |
case IPV6_IPSEC_POLICY: |
| 506 |
case IPV6_XFRM_POLICY: |
506 |
case IPV6_XFRM_POLICY: |
|
|
507 |
retv = -EPERM; |
| 508 |
if (!capable(CAP_NET_ADMIN)) |
| 509 |
break; |
| 507 |
retv = xfrm_user_policy(sk, optname, optval, optlen); |
510 |
retv = xfrm_user_policy(sk, optname, optval, optlen); |
| 508 |
break; |
511 |
break; |
| 509 |
|
512 |
|