RDS: restrict socket connection reset to CAP_NET_ADMIN

Normal users not suppose to need/have access to the transport
connection reset.

Orabug:25393611
Reviewed-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>

diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
index 7843f0a0a4bd2c8a1cd3aba1d3b44f0c6528ed05..894b0b23831ed4b8537c60cedcaf7c10c480fefe 100644 (file)
--- a/net/rds/af_rds.c
+++ b/net/rds/af_rds.c
@@ -440,6 +440,7 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
                          char __user *optval, unsigned int optlen)
 {
        struct rds_sock *rs = rds_sk_to_rs(sock->sk);
+       struct net *net = sock_net(sock->sk);
        int ret;
 
        if (level != SOL_RDS) {
@@ -467,6 +468,10 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
                ret = rds_cong_monitor(rs, optval, optlen);
                break;
        case RDS_CONN_RESET:
+               if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+                       ret =  -EACCES;
+                       break;
+               }
                ret = rds_user_reset(rs, optval, optlen);
                break;
        case SO_RDS_TRANSPORT: