From 7692cb81d72fc94380e9984e002edfee3d3aeea0 Mon Sep 17 00:00:00 2001
From: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Date: Thu, 15 Dec 2016 13:12:16 -0800
Subject: [PATCH] RDS: restrict socket connection reset to CAP_NET_ADMIN

Normal users not suppose to need/have access to the transport
connection reset.

Orabug:25393611
Reviewed-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
---
 net/rds/af_rds.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
index 7843f0a0a4bd..894b0b23831e 100644
--- a/net/rds/af_rds.c
+++ b/net/rds/af_rds.c
@@ -440,6 +440,7 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
 			  char __user *optval, unsigned int optlen)
 {
 	struct rds_sock *rs = rds_sk_to_rs(sock->sk);
+	struct net *net = sock_net(sock->sk);
 	int ret;
 
 	if (level != SOL_RDS) {
@@ -467,6 +468,10 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
 		ret = rds_cong_monitor(rs, optval, optlen);
 		break;
 	case RDS_CONN_RESET:
+		if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+			ret =  -EACCES;
+			break;
+		}
 		ret = rds_user_reset(rs, optval, optlen);
 		break;
 	case SO_RDS_TRANSPORT:
-- 
2.50.1