@@ -958,6 +958,9 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
proto = po->num;
addr = NULL;
} else {
+ if (!capable(CAP_NET_RAW))
+ return -EACCES;
+
err = -EINVAL;
if (msg->msg_namelen < sizeof(struct sockaddr_ll))
goto out;
@@ -1075,6 +1078,9 @@ static int packet_snd(struct socket *sock,
proto = po->num;
addr = NULL;
} else {
+ if (!capable(CAP_NET_RAW))
+ return -EACCES;
+
err = -EINVAL;
if (msg->msg_namelen < sizeof(struct sockaddr_ll))
goto out;
@@ -1284,6 +1290,8 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
struct net_device *dev;
int err = -ENODEV;
+ if (!capable(CAP_NET_RAW))
+ return -EACCES;
/*
* Check legality
*/
@@ -1307,6 +1315,8 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len
struct net_device *dev = NULL;
int err;
+ if (!capable(CAP_NET_RAW))
+ return -EACCES;
/*
* Check legality
CAP_NET_RAW capability check is currently done only when creating a PF_PACKET socket. But there are so such checks when doing a bind() to a specific interface or sending a message to a specific interface via sendmsg() with msg->msg_name. So when a packet socket fd is passed to an un-privileged process, it can do a re-bind or send a message to any interface. We ran into this case when considering using raw socket backend for KVM guests with libvirt opening the packet socket and passing the fd to an un-priviliged qemu process. The following patch adds CAP_NET_RAW checks to bind() and sendmsg() with msg_name calls. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html