diff options
author | Eyal Birger <eyal.birger@gmail.com> | 2022-05-04 12:54:59 +0300 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2022-05-05 15:48:17 -0700 |
commit | 1f86123b97491cc2b5071d7f9933f0e91890c976 (patch) | |
tree | 2ebbd86073da540b458013d160833ae5dc7342e8 | |
parent | c4a67a21a6d255ddcbaa076c0412aad73c7e0c02 (diff) |
net: align SO_RCVMARK required privileges with SO_MARK
The commit referenced in the "Fixes" tag added the SO_RCVMARK socket
option for receiving the skb mark in the ancillary data.
Since this is a new capability, and exposes admin configured details
regarding the underlying network setup to sockets, let's align the
needed capabilities with those of SO_MARK.
Fixes: 6fd1d51cfa25 ("net: SO_RCVMARK socket option for SO_MARK with recvmsg()")
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Link: https://lore.kernel.org/r/20220504095459.2663513-1-eyal.birger@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-rw-r--r-- | net/core/sock.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/net/core/sock.c b/net/core/sock.c index be20a1af20e5..6b287eb5427b 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1315,6 +1315,12 @@ set_sndbuf: __sock_set_mark(sk, val); break; case SO_RCVMARK: + if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) && + !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { + ret = -EPERM; + break; + } + sock_valbool_flag(sk, SOCK_RCVMARK, valbool); break; |