[IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
The interface needs much redesigning if we wish to allow normal users to do this in some way. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Родитель
534afb90a9
Коммит
6fc0b4a7a7
|
@ -848,6 +848,9 @@ mc_msf_out:
|
|||
|
||||
case IP_IPSEC_POLICY:
|
||||
case IP_XFRM_POLICY:
|
||||
err = -EPERM;
|
||||
if (!capable(CAP_NET_ADMIN))
|
||||
break;
|
||||
err = xfrm_user_policy(sk, optname, optval, optlen);
|
||||
break;
|
||||
|
||||
|
|
|
@ -504,6 +504,9 @@ done:
|
|||
break;
|
||||
case IPV6_IPSEC_POLICY:
|
||||
case IPV6_XFRM_POLICY:
|
||||
retv = -EPERM;
|
||||
if (!capable(CAP_NET_ADMIN))
|
||||
break;
|
||||
retv = xfrm_user_policy(sk, optname, optval, optlen);
|
||||
break;
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче