[Security] Restrict socket policy loading to CAP_NET_ADMIN.
See CAN-2005-2555. svn path=/branches/dist/sid/kernel/linux-2.6/; revision=4009
This commit is contained in:
commit
84e5f63594
|
@ -1,5 +1,6 @@
|
|||
linux-2.6 (2.6.12-6) UNRELEASED; urgency=low
|
||||
|
||||
[ Bastian Blank ]
|
||||
* Change ATM and Classical-IP-over-ATM to be modular, instead of being
|
||||
statically included.
|
||||
(closes: #323143) (Andres Salomon, Bastian Blank)
|
||||
|
@ -12,7 +13,12 @@ linux-2.6 (2.6.12-6) UNRELEASED; urgency=low
|
|||
it breaks iproute's (and other netlink users) ability
|
||||
to set routes. (closes: #322723) (Simon Horman)
|
||||
|
||||
-- Bastian Blank <waldi@debian.org> Sat, 20 Aug 2005 11:57:45 +0200
|
||||
[ Simon Horman ]
|
||||
* net-sockglue-cap.patch
|
||||
[Security] Restrict socket policy loading to CAP_NET_ADMIN.
|
||||
See CAN-2005-2555.
|
||||
|
||||
-- Simon Horman <horms@debian.org> Mon, 22 Aug 2005 15:04:40 +0900
|
||||
|
||||
linux-2.6 (2.6.12-5) unstable; urgency=low
|
||||
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
From: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Date: Sat, 6 Aug 2005 13:33:15 +0000 (-0700)
|
||||
Subject: [IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
|
||||
X-Git-Tag: v2.6.13-rc6
|
||||
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2
|
||||
|
||||
[IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
|
||||
|
||||
The interface needs much redesigning if we wish to allow
|
||||
normal users to do this in some way.
|
||||
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
|
||||
--- a/net/ipv4/ip_sockglue.c
|
||||
+++ b/net/ipv4/ip_sockglue.c
|
||||
@@ -848,6 +848,9 @@ mc_msf_out:
|
||||
|
||||
case IP_IPSEC_POLICY:
|
||||
case IP_XFRM_POLICY:
|
||||
+ err = -EPERM;
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ break;
|
||||
err = xfrm_user_policy(sk, optname, optval, optlen);
|
||||
break;
|
||||
|
||||
--- a/net/ipv6/ipv6_sockglue.c
|
||||
+++ b/net/ipv6/ipv6_sockglue.c
|
||||
@@ -504,6 +504,9 @@ done:
|
||||
break;
|
||||
case IPV6_IPSEC_POLICY:
|
||||
case IPV6_XFRM_POLICY:
|
||||
+ retv = -EPERM;
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ break;
|
||||
retv = xfrm_user_policy(sk, optname, optval, optlen);
|
||||
break;
|
||||
|
|
@ -0,0 +1 @@
|
|||
+ net-sockglue-cap.patch
|
Loading…
Reference in New Issue