| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220504095459.2663513-1-eyal.birger@gmail.com>
Date: Wed, 4 May 2022 12:54:59 +0300
From: Eyal Birger <eyal.birger@...il.com>
To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, asml.silence@...il.com
Cc: aahringo@...hat.com, weiwan@...gle.com, fw@...len.de,
yangbo.lu@....com, tglx@...utronix.de, dsahern@...nel.org,
lnx.erin@...il.com, mkl@...gutronix.de, netdev@...r.kernel.org,
Eyal Birger <eyal.birger@...il.com>
Subject: [PATCH net-next] net: align SO_RCVMARK required privileges with SO_MARK
The commit referenced in the "Fixes" tag added the SO_RCVMARK socket
option for receiving the skb mark in the ancillary data.
Since this is a new capability, and exposes admin configured details
regarding the underlying network setup to sockets, let's align the
needed capabilities with those of SO_MARK.
Fixes: 6fd1d51cfa25 ("net: SO_RCVMARK socket option for SO_MARK with recvmsg()")
Signed-off-by: Eyal Birger <eyal.birger@...il.com>
---
net/core/sock.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/core/sock.c b/net/core/sock.c
index be20a1af20e5..6b287eb5427b 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1315,6 +1315,12 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
__sock_set_mark(sk, val);
break;
case SO_RCVMARK:
+ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
+ !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ ret = -EPERM;
+ break;
+ }
+
sock_valbool_flag(sk, SOCK_RCVMARK, valbool);
break;
--
2.34.1
Powered by blists - more mailing lists