提交 3480c63b 编写于 作者: P Patrick McHardy 提交者: David S. Miller

[LLC]: Restrict LLC sockets to root

LLC currently allows users to inject raw frames, including IP packets
encapsulated in SNAP. While Linux doesn't handle IP over SNAP, other
systems do. Restrict LLC sockets to root similar to packet sockets.

[ Modified Patrick's patch to use CAP_NEW_RAW --DaveM ]
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 349fb2d6
...@@ -155,6 +155,9 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol) ...@@ -155,6 +155,9 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol)
struct sock *sk; struct sock *sk;
int rc = -ESOCKTNOSUPPORT; int rc = -ESOCKTNOSUPPORT;
if (!capable(CAP_NET_RAW))
return -EPERM;
if (net != &init_net) if (net != &init_net)
return -EAFNOSUPPORT; return -EAFNOSUPPORT;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册