security: Add AID_NET_RAW and AID_NET_ADMIN capability check in cap_capable(). (7985836f) · Commits · e / devices / android_kernel_xiaomi_markw

include/linux/android_aid.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -21,5 +21,6 @@
		#define AID_OBSOLETE_001 KGIDT_INIT(3002) /* was NET_BT */
		#define AID_INET KGIDT_INIT(3003)
		#define AID_NET_RAW KGIDT_INIT(3004)
		#define AID_NET_ADMIN KGIDT_INIT(3005)

		#endif

+9 −0

Original line number	Diff line number	Diff line
		@@ -31,6 +31,10 @@
		#include <linux/binfmts.h>
		#include <linux/personality.h>

		#ifdef CONFIG_ANDROID_PARANOID_NETWORK
		#include <linux/android_aid.h>
		#endif

		/*
		* If a non-root user executes a setuid-root binary in
		* !secure(SECURE_NOROOT) mode, then we raise capabilities.
		@@ -78,6 +82,11 @@ int cap_capable(const struct cred cred, struct user_namespace targ_ns,
		{
		struct user_namespace *ns = targ_ns;

		if (cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW))
		return 0;
		if (cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN))
		return 0;

		/* See if cred has the capability in the target user namespace
		* by examining the target user namespace and all of the target
		* user namespace's parents.