40 lines
1.1 KiB
Diff
40 lines
1.1 KiB
Diff
From: Herbert Xu <herbert@gondor.apana.org.au>
|
|
Date: Sat, 6 Aug 2005 13:33:15 +0000 (-0700)
|
|
Subject: [IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
|
|
X-Git-Tag: v2.6.13-rc6
|
|
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2
|
|
|
|
[IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
|
|
|
|
The interface needs much redesigning if we wish to allow
|
|
normal users to do this in some way.
|
|
|
|
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
---
|
|
|
|
--- a/net/ipv4/ip_sockglue.c
|
|
+++ b/net/ipv4/ip_sockglue.c
|
|
@@ -848,6 +848,9 @@ mc_msf_out:
|
|
|
|
case IP_IPSEC_POLICY:
|
|
case IP_XFRM_POLICY:
|
|
+ err = -EPERM;
|
|
+ if (!capable(CAP_NET_ADMIN))
|
|
+ break;
|
|
err = xfrm_user_policy(sk, optname, optval, optlen);
|
|
break;
|
|
|
|
--- a/net/ipv6/ipv6_sockglue.c
|
|
+++ b/net/ipv6/ipv6_sockglue.c
|
|
@@ -504,6 +504,9 @@ done:
|
|
break;
|
|
case IPV6_IPSEC_POLICY:
|
|
case IPV6_XFRM_POLICY:
|
|
+ retv = -EPERM;
|
|
+ if (!capable(CAP_NET_ADMIN))
|
|
+ break;
|
|
retv = xfrm_user_policy(sk, optname, optval, optlen);
|
|
break;
|
|
|