[LLC]: Restrict LLC sockets to root · 3480c63bdf - Gogs: Go Git Service GfA electronic

[LLC]: Restrict LLC sockets to root

LLC currently allows users to inject raw frames, including IP packets
encapsulated in SNAP. While Linux doesn't handle IP over SNAP, other
systems do. Restrict LLC sockets to root similar to packet sockets.

[ Modified Patrick's patch to use CAP_NEW_RAW --DaveM ]

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

Patrick McHardy 17 년 전

부모

349fb2d649

커밋

3480c63bdf

1개의 변경된 파일과 3개의 추가작업 그리고 0개의 파일을 삭제

분할 보기 변경상태 보기

						
							+ 3
							
							- 0
						
net/llc/af_llc.c
							 
								파일 보기
							
				@@ -155,6 +155,9 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol)
			
				 	struct sock *sk;
			
				 	int rc = -ESOCKTNOSUPPORT;
			
				+	if (!capable(CAP_NET_RAW))
			
				+		return -EPERM;
			
				+
			
				 	if (net != &init_net)
			
				 		return -EAFNOSUPPORT;