summaryrefslogtreecommitdiff
path: root/net/core
diff options
context:
space:
mode:
authorMaciej Żenczykowski <maze@google.com>2021-11-23 12:37:15 -0800
committerJakub Kicinski <kuba@kernel.org>2021-11-24 18:57:05 -0800
commit079925cce1d06fe6614b1559b0020497b5b83d6a (patch)
tree3ce084ab2da800bcb11f408774bdf847bdcbebc1 /net/core
parenta1b519b745489a54189e05ee934ada1b6bc595a3 (diff)
net: allow SO_MARK with CAP_NET_RAW
A CAP_NET_RAW capable process can already spoof (on transmit) anything it desires via raw packet sockets... There is no good reason to not allow it to also be able to play routing tricks on packets from its own normal sockets. There is a desire to be able to use SO_MARK for routing table selection (via ip rule fwmark) from within a user process without having to run it as root. Granting it CAP_NET_RAW is much less dangerous than CAP_NET_ADMIN (CAP_NET_RAW doesn't permit persistent state change, while CAP_NET_ADMIN does - by for example allowing the reconfiguration of the routing tables and/or bringing up/down devices). Let's keep CAP_NET_ADMIN for persistent state changes, while using CAP_NET_RAW for non-configuration related stuff. Signed-off-by: Maciej Żenczykowski <maze@google.com> Link: https://lore.kernel.org/r/20211123203715.193413-1-zenczykowski@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/core')
-rw-r--r--net/core/sock.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/core/sock.c b/net/core/sock.c
index 1e49a127adef..4a499d255f40 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1281,7 +1281,8 @@ set_sndbuf:
clear_bit(SOCK_PASSSEC, &sock->flags);
break;
case SO_MARK:
- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
+ !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
ret = -EPERM;
break;
}