rpms / kernel

Clone
Source Code
GIT

Blame enforce-CAP_NET_RAW-for-raw-sockets.patch

26 Label_NFS f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main oneoffs private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 private-nhorman-sgx-v15 rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   8504c90006ebac3df8ad880aff81ae6748b8ed0a
  2.   enforce-CAP_NET_RAW-for-raw-sockets.patch
Blob History Raw
f84d7d7 
From b91ee4aa2a2199ba4d4650706c272985a5a32d80 Mon Sep 17 00:00:00 2001
f84d7d7 
From: Ori Nimron <orinimron123@gmail.com>
f84d7d7 
Date: Fri, 20 Sep 2019 09:35:45 +0200
f84d7d7 
Subject: mISDN: enforce CAP_NET_RAW for raw sockets
f84d7d7
f84d7d7 
When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked
f84d7d7 
first.
f84d7d7
f84d7d7 
Signed-off-by: Ori Nimron <orinimron123@gmail.com>
f84d7d7 
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
f84d7d7 
Signed-off-by: David S. Miller <davem@davemloft.net>
f84d7d7 
---
f84d7d7 
 drivers/isdn/mISDN/socket.c | 2 ++
f84d7d7 
 1 file changed, 2 insertions(+)
f84d7d7
f84d7d7 
diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
f84d7d7 
index c6ba37df4b9d..dff4132b3702 100644
f84d7d7 
--- a/drivers/isdn/mISDN/socket.c
f84d7d7 
+++ b/drivers/isdn/mISDN/socket.c
f84d7d7 
@@ -754,6 +754,8 @@ base_sock_create(struct net *net, struct socket *sock, int protocol, int kern)
f84d7d7
f84d7d7 
 	if (sock->type != SOCK_RAW)
f84d7d7 
 		return -ESOCKTNOSUPPORT;
f84d7d7 
+	if (!capable(CAP_NET_RAW))
f84d7d7 
+		return -EPERM;
f84d7d7
f84d7d7 
 	sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto, kern);
f84d7d7 
 	if (!sk)
f84d7d7 
--
f84d7d7 
cgit 1.2-0.3.lf.el7
f84d7d7
f84d7d7
f84d7d7 
From 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac Mon Sep 17 00:00:00 2001
f84d7d7 
From: Ori Nimron <orinimron123@gmail.com>
f84d7d7 
Date: Fri, 20 Sep 2019 09:35:46 +0200
f84d7d7 
Subject: appletalk: enforce CAP_NET_RAW for raw sockets
f84d7d7
f84d7d7 
When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked
f84d7d7 
first.
f84d7d7
f84d7d7 
Signed-off-by: Ori Nimron <orinimron123@gmail.com>
f84d7d7 
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
f84d7d7 
Signed-off-by: David S. Miller <davem@davemloft.net>
f84d7d7 
---
f84d7d7 
 net/appletalk/ddp.c | 5 +++++
f84d7d7 
 1 file changed, 5 insertions(+)
f84d7d7
f84d7d7 
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
f84d7d7 
index 4072e9d394d6..b41375d4d295 100644
f84d7d7 
--- a/net/appletalk/ddp.c
f84d7d7 
+++ b/net/appletalk/ddp.c
f84d7d7 
@@ -1023,6 +1023,11 @@ static int atalk_create(struct net *net, struct socket *sock, int protocol,
f84d7d7 
 	 */
f84d7d7 
 	if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
f84d7d7 
 		goto out;
f84d7d7 
+
f84d7d7 
+	rc = -EPERM;
f84d7d7 
+	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
f84d7d7 
+		goto out;
f84d7d7 
+
f84d7d7 
 	rc = -ENOMEM;
f84d7d7 
 	sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto, kern);
f84d7d7 
 	if (!sk)
f84d7d7 
--
f84d7d7 
cgit 1.2-0.3.lf.el7
f84d7d7
f84d7d7
f84d7d7 
From 0614e2b73768b502fc32a75349823356d98aae2c Mon Sep 17 00:00:00 2001
f84d7d7 
From: Ori Nimron <orinimron123@gmail.com>
f84d7d7 
Date: Fri, 20 Sep 2019 09:35:47 +0200
f84d7d7 
Subject: ax25: enforce CAP_NET_RAW for raw sockets
f84d7d7
f84d7d7 
When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked
f84d7d7 
first.
f84d7d7
f84d7d7 
Signed-off-by: Ori Nimron <orinimron123@gmail.com>
f84d7d7 
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
f84d7d7 
Signed-off-by: David S. Miller <davem@davemloft.net>
f84d7d7 
---
f84d7d7 
 net/ax25/af_ax25.c | 2 ++
f84d7d7 
 1 file changed, 2 insertions(+)
f84d7d7
f84d7d7 
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
f84d7d7 
index ca5207767dc2..bb222b882b67 100644
f84d7d7 
--- a/net/ax25/af_ax25.c
f84d7d7 
+++ b/net/ax25/af_ax25.c
f84d7d7 
@@ -855,6 +855,8 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
f84d7d7 
 		break;
f84d7d7
f84d7d7 
 	case SOCK_RAW:
f84d7d7 
+		if (!capable(CAP_NET_RAW))
f84d7d7 
+			return -EPERM;
f84d7d7 
 		break;
f84d7d7 
 	default:
f84d7d7 
 		return -ESOCKTNOSUPPORT;
f84d7d7 
--
f84d7d7 
cgit 1.2-0.3.lf.el7
f84d7d7
f84d7d7
f84d7d7 
From e69dbd4619e7674c1679cba49afd9dd9ac347eef Mon Sep 17 00:00:00 2001
f84d7d7 
From: Ori Nimron <orinimron123@gmail.com>
f84d7d7 
Date: Fri, 20 Sep 2019 09:35:48 +0200
f84d7d7 
Subject: ieee802154: enforce CAP_NET_RAW for raw sockets
f84d7d7
f84d7d7 
When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be
f84d7d7 
checked first.
f84d7d7
f84d7d7 
Signed-off-by: Ori Nimron <orinimron123@gmail.com>
f84d7d7 
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
f84d7d7 
Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
f84d7d7 
Signed-off-by: David S. Miller <davem@davemloft.net>
f84d7d7 
---
f84d7d7 
 net/ieee802154/socket.c | 3 +++
f84d7d7 
 1 file changed, 3 insertions(+)
f84d7d7
f84d7d7 
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
f84d7d7 
index badc5cfe4dc6..d93d4531aa9b 100644
f84d7d7 
--- a/net/ieee802154/socket.c
f84d7d7 
+++ b/net/ieee802154/socket.c
f84d7d7 
@@ -1008,6 +1008,9 @@ static int ieee802154_create(struct net *net, struct socket *sock,
f84d7d7
f84d7d7 
 	switch (sock->type) {
f84d7d7 
 	case SOCK_RAW:
f84d7d7 
+		rc = -EPERM;
f84d7d7 
+		if (!capable(CAP_NET_RAW))
f84d7d7 
+			goto out;
f84d7d7 
 		proto = &ieee802154_raw_prot;
f84d7d7 
 		ops = &ieee802154_raw_ops;
f84d7d7 
 		break;
f84d7d7 
--
f84d7d7 
cgit 1.2-0.3.lf.el7
f84d7d7
f84d7d7
f84d7d7 
From 3a359798b176183ef09efb7a3dc59abad1cc7104 Mon Sep 17 00:00:00 2001
f84d7d7 
From: Ori Nimron <orinimron123@gmail.com>
f84d7d7 
Date: Fri, 20 Sep 2019 09:35:49 +0200
f84d7d7 
Subject: nfc: enforce CAP_NET_RAW for raw sockets
f84d7d7
f84d7d7 
When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked
f84d7d7 
first.
f84d7d7
f84d7d7 
Signed-off-by: Ori Nimron <orinimron123@gmail.com>
f84d7d7 
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
f84d7d7 
Signed-off-by: David S. Miller <davem@davemloft.net>
f84d7d7 
---
f84d7d7 
 net/nfc/llcp_sock.c | 7 +++++--
f84d7d7 
 1 file changed, 5 insertions(+), 2 deletions(-)
f84d7d7
f84d7d7 
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
f84d7d7 
index 9b8742947aff..8dfea26536c9 100644
f84d7d7 
--- a/net/nfc/llcp_sock.c
f84d7d7 
+++ b/net/nfc/llcp_sock.c
f84d7d7 
@@ -1004,10 +1004,13 @@ static int llcp_sock_create(struct net *net, struct socket *sock,
f84d7d7 
 	    sock->type != SOCK_RAW)
f84d7d7 
 		return -ESOCKTNOSUPPORT;
f84d7d7
f84d7d7 
-	if (sock->type == SOCK_RAW)
f84d7d7 
+	if (sock->type == SOCK_RAW) {
f84d7d7 
+		if (!capable(CAP_NET_RAW))
f84d7d7 
+			return -EPERM;
f84d7d7 
 		sock->ops = &llcp_rawsock_ops;
f84d7d7 
-	else
f84d7d7 
+	} else {
f84d7d7 
 		sock->ops = &llcp_sock_ops;
f84d7d7 
+	}
f84d7d7
f84d7d7 
 	sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC, kern);
f84d7d7 
 	if (sk == NULL)
f84d7d7 
--
f84d7d7 
cgit 1.2-0.3.lf.el7
f84d7d7
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.