[Security] Restrict socket policy loading to CAP_NET_ADMIN.

See CAN-2005-2555. svn path=/branches/dist/sid/kernel/linux-2.6/; revision=4009
2005-08-22 06:07:59 +00:00 · 2005-08-22 06:07:59 +00:00 · 84e5f63594
parent b8a3feeff3 411e130b2d
commit 84e5f63594
3 changed files with 47 additions and 1 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,5 +1,6 @@
 linux-2.6 (2.6.12-6) UNRELEASED; urgency=low

+  [ Bastian Blank ]
  * Change ATM and Classical-IP-over-ATM to be modular, instead of being
    statically included.
    (closes: #323143) (Andres Salomon, Bastian Blank)
@ -12,7 +13,12 @@ linux-2.6 (2.6.12-6) UNRELEASED; urgency=low
    it breaks iproute's (and other netlink users) ability
    to set routes. (closes: #322723) (Simon Horman)

- -- Bastian Blank <waldi@debian.org>  Sat, 20 Aug 2005 11:57:45 +0200
+  [ Simon Horman ]
+  * net-sockglue-cap.patch
+    [Security] Restrict socket policy loading to CAP_NET_ADMIN.
+    See CAN-2005-2555.
+
+ -- Simon Horman <horms@debian.org>  Mon, 22 Aug 2005 15:04:40 +0900

 linux-2.6 (2.6.12-5) unstable; urgency=low

--- a/debian/patches-debian/net-sockglue-cap.patch
+++ b/debian/patches-debian/net-sockglue-cap.patch
@ -0,0 +1,39 @@
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sat, 6 Aug 2005 13:33:15 +0000 (-0700)
+Subject: [IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
+X-Git-Tag: v2.6.13-rc6
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2
+
+  [IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
+  
+  The interface needs much redesigning if we wish to allow
+  normal users to do this in some way.
+  
+  Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+  Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
+@@ -848,6 +848,9 @@ mc_msf_out:
+  
+ 		case IP_IPSEC_POLICY:
+ 		case IP_XFRM_POLICY:
+			err = -EPERM;
+			if (!capable(CAP_NET_ADMIN))
+				break;
+ 			err = xfrm_user_policy(sk, optname, optval, optlen);
+ 			break;
+ 
+--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
+@@ -504,6 +504,9 @@ done:
+ 		break;
+ 	case IPV6_IPSEC_POLICY:
+ 	case IPV6_XFRM_POLICY:
+		retv = -EPERM;
+		if (!capable(CAP_NET_ADMIN))
+			break;
+ 		retv = xfrm_user_policy(sk, optname, optval, optlen);
+ 		break;
+ 
--- a/debian/patches-debian/series/2.6.12-6
+++ b/debian/patches-debian/series/2.6.12-6
@ -0,0 +1 @@
+ net-sockglue-cap.patch