On Wed, 2015-12-16 at 07:43 -0800, Stephen Hemminger wrote:
>
> I see no security checks in the diag infrastructure.
> Up until now diag has been read-only access and therefore has been
> allowed for all users.
It is still allowed to all users.
Only the 'destroy' operation is restricted.
+int sock_diag_destroy(struct sock *sk, int err)
+{
+ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (!sk->sk_prot->diag_destroy)
+ return -EOPNOTSUPP;
+
+ return sk->sk_prot->diag_destroy(sk, err);
+}
+EXPORT_SYMBOL_GPL(sock_diag_destroy);
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
