[LLC]: Restrict LLC sockets to root · 3480c63bdf - Gogs: Go Git Service GfA electronic

Эх сурвалжийг харах

[LLC]: Restrict LLC sockets to root

LLC currently allows users to inject raw frames, including IP packets
encapsulated in SNAP. While Linux doesn't handle IP over SNAP, other
systems do. Restrict LLC sockets to root similar to packet sockets.

[ Modified Patrick's patch to use CAP_NEW_RAW --DaveM ]

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

Patrick McHardy 18 жил өмнө

parent

349fb2d649

commit

3480c63bdf

1 өөрчлөгдсөн 3 нэмэгдсэн , 0 устгасан

Өөрчлөлтийг ялгаж харах Өөрчлөлтийн статистик харах

						
							+ 3
							
							- 0
						
net/llc/af_llc.c
							 
								Файл харах
							
				@@ -155,6 +155,9 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol)
			
				 	struct sock *sk;
			
				 	int rc = -ESOCKTNOSUPPORT;
			
				+	if (!capable(CAP_NET_RAW))
			
				+		return -EPERM;
			
				+
			
				 	if (net != &init_net)
			
				 		return -EAFNOSUPPORT;