From: Patrick McHardy <kaber@trash.net>
Date: Mon, 7 Apr 2008 06:40:33 +0000 (-0700)
Subject: LLC: Restrict LLC sockets to root
X-Git-Tag: v2.6.24.5~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e982cc89839374bb1a504448401dfafaf772bdbf;p=thirdparty%2Fkernel%2Fstable.git

LLC: Restrict LLC sockets to root

Upstream commit: 3480c63bdf008e9289aab94418f43b9592978fff

LLC currently allows users to inject raw frames, including IP packets
encapsulated in SNAP. While Linux doesn't handle IP over SNAP, other
systems do. Restrict LLC sockets to root similar to packet sockets.

[ Modified Patrick's patch to use CAP_NEW_RAW --DaveM ]

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 46cf962f7f888..8c50eb430c195 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -155,6 +155,9 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol)
 	struct sock *sk;
 	int rc = -ESOCKTNOSUPPORT;
 
+	if (!capable(CAP_NET_RAW))
+		return -EPERM;
+
 	if (net != &init_net)
 		return -EAFNOSUPPORT;