Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3594698a authored by Eric W. Biederman's avatar Eric W. Biederman Committed by David S. Miller
Browse files

net: Make CAP_NET_BIND_SERVICE per user namespace 



Allow privileged users in any user namespace to bind to
privileged sockets in network namespaces they control.

Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b51642f6

net/ipv4/af_inet.c

+4 −2
Original line number Diff line number Diff line
@@ -474,6 +474,7 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) 
	struct sockaddr_in *addr = (struct sockaddr_in *)uaddr;

	struct sock *sk = sock->sk;

	struct inet_sock *inet = inet_sk(sk);

	struct net *net = sock_net(sk);

	unsigned short snum;

	int chk_addr_ret;

	int err;
@@ -497,7 +498,7 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) 
			goto out;

	}



	chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr);

	chk_addr_ret = inet_addr_type(net, addr->sin_addr.s_addr);



	/* Not specified by any standard per-se, however it breaks too

	 * many applications when removed.  It is unfortunate since
@@ -517,7 +518,8 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) 


	snum = ntohs(addr->sin_port);

	err = -EACCES;

	if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))

	if (snum && snum < PROT_SOCK &&

	    !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))

		goto out;



	/*      We keep a pair of addresses. rcv_saddr is the one

net/ipv6/af_inet6.c

+1 −1
Original line number Diff line number Diff line
@@ -283,7 +283,7 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) 
		return -EINVAL;



	snum = ntohs(addr->sin6_port);

	if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))

	if (snum && snum < PROT_SOCK && !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))

		return -EACCES;



	lock_sock(sk);

net/sctp/socket.c

+5 −3
Original line number Diff line number Diff line
@@ -335,6 +335,7 @@ static struct sctp_af *sctp_sockaddr_af(struct sctp_sock *opt, 
/* Bind a local address either to an endpoint or to an association.  */

SCTP_STATIC int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len)

{

	struct net *net = sock_net(sk);

	struct sctp_sock *sp = sctp_sk(sk);

	struct sctp_endpoint *ep = sp->ep;

	struct sctp_bind_addr *bp = &ep->base.bind_addr;
@@ -378,7 +379,8 @@ SCTP_STATIC int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len) 
		}

	}



	if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))

	if (snum && snum < PROT_SOCK &&

	    !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))

		return -EACCES;



	/* See if the address matches any of the addresses we may have
@@ -1161,7 +1163,7 @@ static int __sctp_connect(struct sock* sk, 
				 * be permitted to open new associations.

				 */

				if (ep->base.bind_addr.port < PROT_SOCK &&

				    !capable(CAP_NET_BIND_SERVICE)) {

				    !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) {

					err = -EACCES;

					goto out_free;

				}
@@ -1790,7 +1792,7 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, 
			 * associations.

			 */

			if (ep->base.bind_addr.port < PROT_SOCK &&

			    !capable(CAP_NET_BIND_SERVICE)) {

			    !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) {

				err = -EACCES;

				goto out_unlock;

			}