commit e982cc89839374bb1a504448401dfafaf772bdbf
Author: Patrick McHardy <[EMAIL PROTECTED]>
Date: Sun Apr 6 23:40:33 2008 -0700
LLC: Restrict LLC sockets to root
Upstream commit: 3480c63bdf008e9289aab94418f43b9592978fff
LLC currently allows users to inject raw frames, including IP packets
encapsulated in SNAP. While Linux doesn't handle IP over SNAP, other
systems do. Restrict LLC sockets to root similar to packet sockets.
[ Modified Patrick's patch to use CAP_NEW_RAW --DaveM ]
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 46cf962..8c50eb4 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -155,6 +155,9 @@ static int llc_ui_create(struct net *net, struct socket
*sock, int protocol)
struct sock *sk;
int rc = -ESOCKTNOSUPPORT;
+ if (!capable(CAP_NET_RAW))
+ return -EPERM;
+
if (net != &init_net)
return -EAFNOSUPPORT;
_______________________________________________
unionfs-cvs mailing list: http://unionfs.filesystems.org/
[email protected]
http://www.fsl.cs.sunysb.edu/mailman/listinfo/unionfs-cvs
