[IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
The interface needs much redesigning if we wish to allow normal users to do this in some way. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
534afb90a9
commit
6fc0b4a7a7
2 changed files with 6 additions and 0 deletions
|
@ -848,6 +848,9 @@ int ip_setsockopt(struct sock *sk, int level, int optname, char __user *optval,
|
|||
|
||||
case IP_IPSEC_POLICY:
|
||||
case IP_XFRM_POLICY:
|
||||
err = -EPERM;
|
||||
if (!capable(CAP_NET_ADMIN))
|
||||
break;
|
||||
err = xfrm_user_policy(sk, optname, optval, optlen);
|
||||
break;
|
||||
|
||||
|
|
|
@ -504,6 +504,9 @@ int ipv6_setsockopt(struct sock *sk, int level, int optname,
|
|||
break;
|
||||
case IPV6_IPSEC_POLICY:
|
||||
case IPV6_XFRM_POLICY:
|
||||
retv = -EPERM;
|
||||
if (!capable(CAP_NET_ADMIN))
|
||||
break;
|
||||
retv = xfrm_user_policy(sk, optname, optval, optlen);
|
||||
break;
|
||||
|
||||
|
|
Loading…
Reference in a new issue