net: check kern before calling security subsystem

Before calling capable(CAP_NET_RAW) check if this operations is on behalf
of the kernel or on behalf of userspace.  Do not do the security check if
it is on behalf of the kernel.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Paris 2009-11-05 20:45:52 -08:00 committed by David S. Miller
parent 3f378b6844
commit c84b3268da
3 changed files with 3 additions and 3 deletions

View file

@ -832,7 +832,7 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
return -ESOCKTNOSUPPORT;
if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
return -EPERM;
sock->ops = &l2cap_sock_ops;

View file

@ -326,7 +326,7 @@ lookup_protocol:
}
err = -EPERM;
if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
goto out_rcu_unlock;
err = -EAFNOSUPPORT;

View file

@ -159,7 +159,7 @@ lookup_protocol:
}
err = -EPERM;
if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
goto out_rcu_unlock;
sock->ops = answer->ops;