Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6fc0b4a7 authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller
Browse files

[IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN. 



The interface needs much redesigning if we wish to allow
normal users to do this in some way.

Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 534afb90

net/ipv4/ip_sockglue.c

+3 −0
Original line number Diff line number Diff line
@@ -848,6 +848,9 @@ int ip_setsockopt(struct sock *sk, int level, int optname, char __user *optval, 
 

		case IP_IPSEC_POLICY:

		case IP_XFRM_POLICY:

			err = -EPERM;

			if (!capable(CAP_NET_ADMIN))

				break;

			err = xfrm_user_policy(sk, optname, optval, optlen);

			break;

net/ipv6/ipv6_sockglue.c

+3 −0
Original line number Diff line number Diff line
@@ -504,6 +504,9 @@ int ipv6_setsockopt(struct sock *sk, int level, int optname, 
		break;

	case IPV6_IPSEC_POLICY:

	case IPV6_XFRM_POLICY:

		retv = -EPERM;

		if (!capable(CAP_NET_ADMIN))

			break;

		retv = xfrm_user_policy(sk, optname, optval, optlen);

		break;