[Security] Restrict socket policy loading to CAP_NET_ADMIN.
See CAN-2005-2555. svn path=/trunk/kernel/linux-2.6/; revision=4007
This commit is contained in:
parent
ada5711e91
commit
411e130b2d
|
@ -1,11 +1,13 @@
|
|||
linux-2.6 (2.6.12+2.6.13-rc6-1) UNRELEASED; urgency=low
|
||||
|
||||
[ Simon Horman ]
|
||||
* - Unset CC_OPTIMIZE_FOR_SIZE in i386 config,
|
||||
it breaks iproute's (and other netlink users) ability
|
||||
to set routes. (closes: #322723)
|
||||
* Unset CC_OPTIMIZE_FOR_SIZE in i386 config,
|
||||
it breaks iproute's (and other netlink users) ability
|
||||
to set routes. (closes: #322723)
|
||||
* [Security] Restrict socket policy loading to CAP_NET_ADMIN.
|
||||
See CAN-2005-2555.
|
||||
|
||||
-- Simon Horman <horms@debian.org> Sun, 21 Aug 2005 10:55:12 +0900
|
||||
-- Simon Horman <horms@debian.org> Mon, 22 Aug 2005 14:54:28 +0900
|
||||
|
||||
linux-2.6 (2.6.12-6) UNRELEASED; urgency=low
|
||||
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
From: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Date: Sat, 6 Aug 2005 13:33:15 +0000 (-0700)
|
||||
Subject: [IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
|
||||
X-Git-Tag: v2.6.13-rc6
|
||||
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2
|
||||
|
||||
[IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
|
||||
|
||||
The interface needs much redesigning if we wish to allow
|
||||
normal users to do this in some way.
|
||||
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
|
||||
--- a/net/ipv4/ip_sockglue.c
|
||||
+++ b/net/ipv4/ip_sockglue.c
|
||||
@@ -848,6 +848,9 @@ mc_msf_out:
|
||||
|
||||
case IP_IPSEC_POLICY:
|
||||
case IP_XFRM_POLICY:
|
||||
+ err = -EPERM;
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ break;
|
||||
err = xfrm_user_policy(sk, optname, optval, optlen);
|
||||
break;
|
||||
|
||||
--- a/net/ipv6/ipv6_sockglue.c
|
||||
+++ b/net/ipv6/ipv6_sockglue.c
|
||||
@@ -504,6 +504,9 @@ done:
|
||||
break;
|
||||
case IPV6_IPSEC_POLICY:
|
||||
case IPV6_XFRM_POLICY:
|
||||
+ retv = -EPERM;
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ break;
|
||||
retv = xfrm_user_policy(sk, optname, optval, optlen);
|
||||
break;
|
||||
|
|
@ -19,3 +19,4 @@
|
|||
+ remove-references-to-removed-drivers.patch
|
||||
+ sparc64-hme-lockup.patch
|
||||
+ tty-locking-fixes9.patch
|
||||
+ net-sockglue-cap.patch
|
||||
|
|
Loading…
Reference in New Issue