[IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN. The interface needs much redesigning if we wish to allow normal users to do this in some way. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 6fc0b4a7a73a81e74d0004732df358f4f9975be2 [log] [tgz]
author: Herbert Xu <herbert@gondor.apana.org.au> Sat Aug 06 06:33:15 2005 -0700
committer: David S. Miller <davem@davemloft.net> Sat Aug 06 06:33:15 2005 -0700
tree: ac2c68e206efbfe378728a50be30ef0bccd0cdff
parent: 534afb90a9cd0b9643f62d660c164e1d924f39cf [diff]
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index fc7c481..ff4bd06 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c

@@ -848,6 +848,9 @@
  
 		case IP_IPSEC_POLICY:
 		case IP_XFRM_POLICY:
+			err = -EPERM;
+			if (!capable(CAP_NET_ADMIN))
+				break;
 			err = xfrm_user_policy(sk, optname, optval, optlen);
 			break;
 

diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index f3ef4c3..3bc144a 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c

@@ -504,6 +504,9 @@
 		break;
 	case IPV6_IPSEC_POLICY:
 	case IPV6_XFRM_POLICY:
+		retv = -EPERM;
+		if (!capable(CAP_NET_ADMIN))
+			break;
 		retv = xfrm_user_policy(sk, optname, optval, optlen);
 		break;
commit	6fc0b4a7a73a81e74d0004732df358f4f9975be2	[log] [tgz]
author	Herbert Xu <herbert@gondor.apana.org.au>	Sat Aug 06 06:33:15 2005 -0700
committer	David S. Miller <davem@davemloft.net>	Sat Aug 06 06:33:15 2005 -0700
tree	ac2c68e206efbfe378728a50be30ef0bccd0cdff
parent	534afb90a9cd0b9643f62d660c164e1d924f39cf [diff]