diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2012-11-15 22:03:12 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-11-18 20:33:37 -0500 |
| commit | 3594698a1fb8e5ae60a92c72ce9ca280256939a7 (patch) | |
| tree | 54360b8a85136ebfeb10f76cfa207a23fb6035e9 /net/sctp | |
| parent | b51642f6d77b131dc85d1d71029c3cbb5b07c262 (diff) | |
net: Make CAP_NET_BIND_SERVICE per user namespace
Allow privileged users in any user namespace to bind to
privileged sockets in network namespaces they control.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp')
| -rw-r--r-- | net/sctp/socket.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 15379acd9c08..2e897069310a 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c | |||
| @@ -335,6 +335,7 @@ static struct sctp_af *sctp_sockaddr_af(struct sctp_sock *opt, | |||
| 335 | /* Bind a local address either to an endpoint or to an association. */ | 335 | /* Bind a local address either to an endpoint or to an association. */ |
| 336 | SCTP_STATIC int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len) | 336 | SCTP_STATIC int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len) |
| 337 | { | 337 | { |
| 338 | struct net *net = sock_net(sk); | ||
| 338 | struct sctp_sock *sp = sctp_sk(sk); | 339 | struct sctp_sock *sp = sctp_sk(sk); |
| 339 | struct sctp_endpoint *ep = sp->ep; | 340 | struct sctp_endpoint *ep = sp->ep; |
| 340 | struct sctp_bind_addr *bp = &ep->base.bind_addr; | 341 | struct sctp_bind_addr *bp = &ep->base.bind_addr; |
| @@ -378,7 +379,8 @@ SCTP_STATIC int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len) | |||
| 378 | } | 379 | } |
| 379 | } | 380 | } |
| 380 | 381 | ||
| 381 | if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE)) | 382 | if (snum && snum < PROT_SOCK && |
| 383 | !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) | ||
| 382 | return -EACCES; | 384 | return -EACCES; |
| 383 | 385 | ||
| 384 | /* See if the address matches any of the addresses we may have | 386 | /* See if the address matches any of the addresses we may have |
| @@ -1161,7 +1163,7 @@ static int __sctp_connect(struct sock* sk, | |||
| 1161 | * be permitted to open new associations. | 1163 | * be permitted to open new associations. |
| 1162 | */ | 1164 | */ |
| 1163 | if (ep->base.bind_addr.port < PROT_SOCK && | 1165 | if (ep->base.bind_addr.port < PROT_SOCK && |
| 1164 | !capable(CAP_NET_BIND_SERVICE)) { | 1166 | !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) { |
| 1165 | err = -EACCES; | 1167 | err = -EACCES; |
| 1166 | goto out_free; | 1168 | goto out_free; |
| 1167 | } | 1169 | } |
| @@ -1790,7 +1792,7 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, | |||
| 1790 | * associations. | 1792 | * associations. |
| 1791 | */ | 1793 | */ |
| 1792 | if (ep->base.bind_addr.port < PROT_SOCK && | 1794 | if (ep->base.bind_addr.port < PROT_SOCK && |
| 1793 | !capable(CAP_NET_BIND_SERVICE)) { | 1795 | !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) { |
| 1794 | err = -EACCES; | 1796 | err = -EACCES; |
| 1795 | goto out_unlock; | 1797 | goto out_unlock; |
| 1796 | } | 1798 | } |