[LLC]: Restrict LLC sockets to root

LLC currently allows users to inject raw frames, including IP packets encapsulated in SNAP. While Linux doesn't handle IP over SNAP, other systems do. Restrict LLC sockets to root similar to packet sockets. [ Modified Patrick's patch to use CAP_NEW_RAW --DaveM ] Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Patrick McHardy <kaber@trash.net> 2008-03-28 03:28:10 (GMT)
committer: David S. Miller <davem@davemloft.net> 2008-03-28 03:28:10 (GMT)
commit: 3480c63bdf008e9289aab94418f43b9592978fff (patch)
tree: 14a355d650dc467e105fe00bc62a3599e890bc50
parent: 349fb2d6492e7d644bc8e670ba11d764a3e2901b (diff)
download: linux-fsl-qoriq-3480c63bdf008e9289aab94418f43b9592978fff.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 46cf962..8c50eb4 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -155,6 +155,9 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol)
 	struct sock *sk;
 	int rc = -ESOCKTNOSUPPORT;
 
+	if (!capable(CAP_NET_RAW))
+		return -EPERM;
+
 	if (net != &init_net)
 		return -EAFNOSUPPORT;
author	Patrick McHardy <kaber@trash.net>	2008-03-28 03:28:10 (GMT)
committer	David S. Miller <davem@davemloft.net>	2008-03-28 03:28:10 (GMT)
commit	3480c63bdf008e9289aab94418f43b9592978fff (patch)
tree	14a355d650dc467e105fe00bc62a3599e890bc50
parent	349fb2d6492e7d644bc8e670ba11d764a3e2901b (diff)
download	linux-fsl-qoriq-3480c63bdf008e9289aab94418f43b9592978fff.tar.xz