Commit 3594698a1fb8e5ae60a92c72ce9ca280256939a7
Committed by
David S. Miller
David S. Miller
1 parent
b51642f6d7
Exists in
smarc-l5.0.0_1.0.0-ga
and in
5 other branches
net: Make CAP_NET_BIND_SERVICE per user namespace
Allow privileged users in any user namespace to bind to privileged sockets in network namespaces they control. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 3 changed files with 10 additions and 6 deletions Side-by-side Diff
net/ipv4/af_inet.c
| ... | ... | @@ -474,6 +474,7 @@ |
| 474 | 474 | struct sockaddr_in *addr = (struct sockaddr_in *)uaddr; |
| 475 | 475 | struct sock *sk = sock->sk; |
| 476 | 476 | struct inet_sock *inet = inet_sk(sk); |
| 477 | + struct net *net = sock_net(sk); | |
| 477 | 478 | unsigned short snum; |
| 478 | 479 | int chk_addr_ret; |
| 479 | 480 | int err; |
| ... | ... | @@ -497,7 +498,7 @@ |
| 497 | 498 | goto out; |
| 498 | 499 | } |
| 499 | 500 | |
| 500 | - chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr); | |
| 501 | + chk_addr_ret = inet_addr_type(net, addr->sin_addr.s_addr); | |
| 501 | 502 | |
| 502 | 503 | /* Not specified by any standard per-se, however it breaks too |
| 503 | 504 | * many applications when removed. It is unfortunate since |
| ... | ... | @@ -517,7 +518,8 @@ |
| 517 | 518 | |
| 518 | 519 | snum = ntohs(addr->sin_port); |
| 519 | 520 | err = -EACCES; |
| 520 | - if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE)) | |
| 521 | + if (snum && snum < PROT_SOCK && | |
| 522 | + !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) | |
| 521 | 523 | goto out; |
| 522 | 524 | |
| 523 | 525 | /* We keep a pair of addresses. rcv_saddr is the one |
net/ipv6/af_inet6.c
| ... | ... | @@ -283,7 +283,7 @@ |
| 283 | 283 | return -EINVAL; |
| 284 | 284 | |
| 285 | 285 | snum = ntohs(addr->sin6_port); |
| 286 | - if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE)) | |
| 286 | + if (snum && snum < PROT_SOCK && !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) | |
| 287 | 287 | return -EACCES; |
| 288 | 288 | |
| 289 | 289 | lock_sock(sk); |
net/sctp/socket.c
| ... | ... | @@ -335,6 +335,7 @@ |
| 335 | 335 | /* Bind a local address either to an endpoint or to an association. */ |
| 336 | 336 | SCTP_STATIC int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len) |
| 337 | 337 | { |
| 338 | + struct net *net = sock_net(sk); | |
| 338 | 339 | struct sctp_sock *sp = sctp_sk(sk); |
| 339 | 340 | struct sctp_endpoint *ep = sp->ep; |
| 340 | 341 | struct sctp_bind_addr *bp = &ep->base.bind_addr; |
| ... | ... | @@ -378,7 +379,8 @@ |
| 378 | 379 | } |
| 379 | 380 | } |
| 380 | 381 | |
| 381 | - if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE)) | |
| 382 | + if (snum && snum < PROT_SOCK && | |
| 383 | + !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) | |
| 382 | 384 | return -EACCES; |
| 383 | 385 | |
| 384 | 386 | /* See if the address matches any of the addresses we may have |
| ... | ... | @@ -1161,7 +1163,7 @@ |
| 1161 | 1163 | * be permitted to open new associations. |
| 1162 | 1164 | */ |
| 1163 | 1165 | if (ep->base.bind_addr.port < PROT_SOCK && |
| 1164 | - !capable(CAP_NET_BIND_SERVICE)) { | |
| 1166 | + !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) { | |
| 1165 | 1167 | err = -EACCES; |
| 1166 | 1168 | goto out_free; |
| 1167 | 1169 | } |
| ... | ... | @@ -1790,7 +1792,7 @@ |
| 1790 | 1792 | * associations. |
| 1791 | 1793 | */ |
| 1792 | 1794 | if (ep->base.bind_addr.port < PROT_SOCK && |
| 1793 | - !capable(CAP_NET_BIND_SERVICE)) { | |
| 1795 | + !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) { | |
| 1794 | 1796 | err = -EACCES; |
| 1795 | 1797 | goto out_unlock; |
| 1796 | 1798 | } |