]> www.infradead.org Git - users/jedix/linux-maple.git/commitdiff
RDS: restrict socket connection reset to CAP_NET_ADMIN
authorSantosh Shilimkar <santosh.shilimkar@oracle.com>
Thu, 15 Dec 2016 21:12:16 +0000 (13:12 -0800)
committerChuck Anderson <chuck.anderson@oracle.com>
Fri, 20 Jan 2017 09:05:56 +0000 (01:05 -0800)
Normal users not suppose to need/have access to the transport
connection reset.

Orabug:25393611
Reviewed-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
net/rds/af_rds.c

index 7843f0a0a4bd2c8a1cd3aba1d3b44f0c6528ed05..894b0b23831ed4b8537c60cedcaf7c10c480fefe 100644 (file)
@@ -440,6 +440,7 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
                          char __user *optval, unsigned int optlen)
 {
        struct rds_sock *rs = rds_sk_to_rs(sock->sk);
+       struct net *net = sock_net(sock->sk);
        int ret;
 
        if (level != SOL_RDS) {
@@ -467,6 +468,10 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
                ret = rds_cong_monitor(rs, optval, optlen);
                break;
        case RDS_CONN_RESET:
+               if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+                       ret =  -EACCES;
+                       break;
+               }
                ret = rds_user_reset(rs, optval, optlen);
                break;
        case SO_RDS_TRANSPORT: