[Security] Restrict socket policy loading to CAP_NET_ADMIN.

See CAN-2005-2555.

svn path=/trunk/kernel/linux-2.6/; revision=4007

debian/changelog

@@ -1,11 +1,13 @@
 linux-2.6 (2.6.12+2.6.13-rc6-1) UNRELEASED; urgency=low
 
   [ Simon Horman ]
-  * - Unset CC_OPTIMIZE_FOR_SIZE in i386 config,
-      it breaks iproute's (and other netlink users) ability
-      to set routes. (closes: #322723) 
+  * Unset CC_OPTIMIZE_FOR_SIZE in i386 config,
+    it breaks iproute's (and other netlink users) ability
+    to set routes. (closes: #322723)
+  * [Security] Restrict socket policy loading to CAP_NET_ADMIN.
+    See CAN-2005-2555. 
 
- -- Simon Horman <horms@debian.org>  Sun, 21 Aug 2005 10:55:12 +0900
+ -- Simon Horman <horms@debian.org>  Mon, 22 Aug 2005 14:54:28 +0900
 
 linux-2.6 (2.6.12-6) UNRELEASED; urgency=low
 

debian/patches-debian/net-sockglue-cap.patch

@@ -0,0 +1,39 @@
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sat, 6 Aug 2005 13:33:15 +0000 (-0700)
+Subject: [IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
+X-Git-Tag: v2.6.13-rc6
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2
+
+  [IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
+  
+  The interface needs much redesigning if we wish to allow
+  normal users to do this in some way.
+  
+  Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+  Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -848,6 +848,9 @@ mc_msf_out:
+  
+ 		case IP_IPSEC_POLICY:
+ 		case IP_XFRM_POLICY:
++			err = -EPERM;
++			if (!capable(CAP_NET_ADMIN))
++				break;
+ 			err = xfrm_user_policy(sk, optname, optval, optlen);
+ 			break;
+ 
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -504,6 +504,9 @@ done:
+ 		break;
+ 	case IPV6_IPSEC_POLICY:
+ 	case IPV6_XFRM_POLICY:
++		retv = -EPERM;
++		if (!capable(CAP_NET_ADMIN))
++			break;
+ 		retv = xfrm_user_policy(sk, optname, optval, optlen);
+ 		break;
+ 

debian/patches-debian/series/2.6.12+2.6.13-rc6-1

@@ -19,3 +19,4 @@
 + remove-references-to-removed-drivers.patch
 + sparc64-hme-lockup.patch
 + tty-locking-fixes9.patch
++ net-sockglue-cap.patch