[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45D65B68.7040406@simon.arlott.org.uk>
Date: Sat, 17 Feb 2007 01:33:28 +0000
From: Simon Arlott <simon@...ott.org>
To: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: CAP_NET_BIND_SERVICE checking in inet_bind vs socket_bind
Why does inet_bind (instead of socket_bind) check that ports below 1024 require CAP_NET_BIND_SERVICE?
Couldn't this check be moved to the dummy socket_bind so that the behaviour can be changed by a security module?
---
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index cf358c8..d75a2c5 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -431,9 +431,11 @@ int inet_bind(struct socket *sock, struc
goto out;
snum = ntohs(addr->sin_port);
+#ifndef CONFIG_SECURITY_NETWORK
err = -EACCES;
if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
goto out;
+#endif
/* We keep a pair of addresses. rcv_saddr is the one
* used by hash lookups, and saddr is used for transmit.
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 3585d8f..768989d 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -262,8 +262,10 @@ int inet6_bind(struct socket *sock, stru
return -EINVAL;
snum = ntohs(addr->sin6_port);
+#ifndef CONFIG_SECURITY_NETWORK
if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
return -EACCES;
+#endif
lock_sock(sk);
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
diff --git a/security/dummy.c b/security/dummy.c
index 558795b..1315b19 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -29,6 +29,8 @@ #include <linux/hugetlb.h>
#include <linux/ptrace.h>
#include <linux/file.h>
+#include <linux/in.h>
+
static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
{
return 0;
@@ -718,6 +720,26 @@ static int dummy_socket_post_create (str
static int dummy_socket_bind (struct socket *sock, struct sockaddr *address,
int addrlen)
{
+ switch (address->sa_family) {
+#ifdef INET
+ case PF_INET: {
+ struct sockaddr_in *addr = (struct sockaddr_in *)address;
+ unsigned short snum;
+ snum = ntohs((addr->sin_port));
+ if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+ return -EACCES;
+ break;
+ }
+ case PF_INET6: {
+ struct sockaddr_in6 *addr = (struct sockaddr_in6 *)address;
+ unsigned short snum;
+ snum = ntohs(addr->sin6_port);
+ if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+ return -EACCES;
+ break;
+ }
+#endif
+ }
return 0;
}
--
Simon Arlott
Download attachment "signature.asc" of type "application/pgp-signature" (830 bytes)
Powered by blists - more mailing lists