diff options
Diffstat (limited to 'enforce-CAP_NET_RAW-for-raw-sockets.patch')
| -rw-r--r-- | enforce-CAP_NET_RAW-for-raw-sockets.patch | 171 |
1 files changed, 0 insertions, 171 deletions
diff --git a/enforce-CAP_NET_RAW-for-raw-sockets.patch b/enforce-CAP_NET_RAW-for-raw-sockets.patch deleted file mode 100644 index f253a35af..000000000 --- a/enforce-CAP_NET_RAW-for-raw-sockets.patch +++ /dev/null @@ -1,171 +0,0 @@ -From b91ee4aa2a2199ba4d4650706c272985a5a32d80 Mon Sep 17 00:00:00 2001 -From: Ori Nimron <orinimron123@gmail.com> -Date: Fri, 20 Sep 2019 09:35:45 +0200 -Subject: mISDN: enforce CAP_NET_RAW for raw sockets - -When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron <orinimron123@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - drivers/isdn/mISDN/socket.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c -index c6ba37df4b9d..dff4132b3702 100644 ---- a/drivers/isdn/mISDN/socket.c -+++ b/drivers/isdn/mISDN/socket.c -@@ -754,6 +754,8 @@ base_sock_create(struct net *net, struct socket *sock, int protocol, int kern) - - if (sock->type != SOCK_RAW) - return -ESOCKTNOSUPPORT; -+ if (!capable(CAP_NET_RAW)) -+ return -EPERM; - - sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto, kern); - if (!sk) --- -cgit 1.2-0.3.lf.el7 - - -From 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac Mon Sep 17 00:00:00 2001 -From: Ori Nimron <orinimron123@gmail.com> -Date: Fri, 20 Sep 2019 09:35:46 +0200 -Subject: appletalk: enforce CAP_NET_RAW for raw sockets - -When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron <orinimron123@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/appletalk/ddp.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c -index 4072e9d394d6..b41375d4d295 100644 ---- a/net/appletalk/ddp.c -+++ b/net/appletalk/ddp.c -@@ -1023,6 +1023,11 @@ static int atalk_create(struct net *net, struct socket *sock, int protocol, - */ - if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM) - goto out; -+ -+ rc = -EPERM; -+ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) -+ goto out; -+ - rc = -ENOMEM; - sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto, kern); - if (!sk) --- -cgit 1.2-0.3.lf.el7 - - -From 0614e2b73768b502fc32a75349823356d98aae2c Mon Sep 17 00:00:00 2001 -From: Ori Nimron <orinimron123@gmail.com> -Date: Fri, 20 Sep 2019 09:35:47 +0200 -Subject: ax25: enforce CAP_NET_RAW for raw sockets - -When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron <orinimron123@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ax25/af_ax25.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c -index ca5207767dc2..bb222b882b67 100644 ---- a/net/ax25/af_ax25.c -+++ b/net/ax25/af_ax25.c -@@ -855,6 +855,8 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol, - break; - - case SOCK_RAW: -+ if (!capable(CAP_NET_RAW)) -+ return -EPERM; - break; - default: - return -ESOCKTNOSUPPORT; --- -cgit 1.2-0.3.lf.el7 - - -From e69dbd4619e7674c1679cba49afd9dd9ac347eef Mon Sep 17 00:00:00 2001 -From: Ori Nimron <orinimron123@gmail.com> -Date: Fri, 20 Sep 2019 09:35:48 +0200 -Subject: ieee802154: enforce CAP_NET_RAW for raw sockets - -When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be -checked first. - -Signed-off-by: Ori Nimron <orinimron123@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Acked-by: Stefan Schmidt <stefan@datenfreihafen.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ieee802154/socket.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c -index badc5cfe4dc6..d93d4531aa9b 100644 ---- a/net/ieee802154/socket.c -+++ b/net/ieee802154/socket.c -@@ -1008,6 +1008,9 @@ static int ieee802154_create(struct net *net, struct socket *sock, - - switch (sock->type) { - case SOCK_RAW: -+ rc = -EPERM; -+ if (!capable(CAP_NET_RAW)) -+ goto out; - proto = &ieee802154_raw_prot; - ops = &ieee802154_raw_ops; - break; --- -cgit 1.2-0.3.lf.el7 - - -From 3a359798b176183ef09efb7a3dc59abad1cc7104 Mon Sep 17 00:00:00 2001 -From: Ori Nimron <orinimron123@gmail.com> -Date: Fri, 20 Sep 2019 09:35:49 +0200 -Subject: nfc: enforce CAP_NET_RAW for raw sockets - -When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron <orinimron123@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/nfc/llcp_sock.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c -index 9b8742947aff..8dfea26536c9 100644 ---- a/net/nfc/llcp_sock.c -+++ b/net/nfc/llcp_sock.c -@@ -1004,10 +1004,13 @@ static int llcp_sock_create(struct net *net, struct socket *sock, - sock->type != SOCK_RAW) - return -ESOCKTNOSUPPORT; - -- if (sock->type == SOCK_RAW) -+ if (sock->type == SOCK_RAW) { -+ if (!capable(CAP_NET_RAW)) -+ return -EPERM; - sock->ops = &llcp_rawsock_ops; -- else -+ } else { - sock->ops = &llcp_sock_ops; -+ } - - sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC, kern); - if (sk == NULL) --- -cgit 1.2-0.3.lf.el7 - |