r4007 - in trunk/kernel/linux-2.6/debian: . patches-debian patches-debian/series

Mon Aug 22 05:55:45 UTC 2005

Author: horms
Date: 2005-08-22 05:55:44 +0000 (Mon, 22 Aug 2005)
New Revision: 4007

Added:
   trunk/kernel/linux-2.6/debian/patches-debian/net-sockglue-cap.patch
Modified:
   trunk/kernel/linux-2.6/debian/changelog
   trunk/kernel/linux-2.6/debian/patches-debian/series/2.6.12+2.6.13-rc6-1
Log:
[Security] Restrict socket policy loading to CAP_NET_ADMIN.
    See CAN-2005-2555.


Modified: trunk/kernel/linux-2.6/debian/changelog
===================================================================

--- trunk/kernel/linux-2.6/debian/changelog	2005-08-21 17:44:43 UTC (rev 4006)
+++ trunk/kernel/linux-2.6/debian/changelog	2005-08-22 05:55:44 UTC (rev 4007)
@@ -1,11 +1,13 @@
 linux-2.6 (2.6.12+2.6.13-rc6-1) UNRELEASED; urgency=low
 
   [ Simon Horman ]
-  * - Unset CC_OPTIMIZE_FOR_SIZE in i386 config,
-      it breaks iproute's (and other netlink users) ability
-      to set routes. (closes: #322723) 
+  * Unset CC_OPTIMIZE_FOR_SIZE in i386 config,
+    it breaks iproute's (and other netlink users) ability
+    to set routes. (closes: #322723)
+  * [Security] Restrict socket policy loading to CAP_NET_ADMIN.
+    See CAN-2005-2555. 
 
- -- Simon Horman <horms at debian.org>  Sun, 21 Aug 2005 10:55:12 +0900
+ -- Simon Horman <horms at debian.org>  Mon, 22 Aug 2005 14:54:28 +0900
 
 linux-2.6 (2.6.12-6) UNRELEASED; urgency=low
 

Added: trunk/kernel/linux-2.6/debian/patches-debian/net-sockglue-cap.patch
===================================================================
--- trunk/kernel/linux-2.6/debian/patches-debian/net-sockglue-cap.patch	2005-08-21 17:44:43 UTC (rev 4006)
+++ trunk/kernel/linux-2.6/debian/patches-debian/net-sockglue-cap.patch	2005-08-22 05:55:44 UTC (rev 4007)
@@ -0,0 +1,39 @@
+From: Herbert Xu <herbert at gondor.apana.org.au>
+Date: Sat, 6 Aug 2005 13:33:15 +0000 (-0700)
+Subject: [IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
+X-Git-Tag: v2.6.13-rc6
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2
+
+  [IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
+  
+  The interface needs much redesigning if we wish to allow
+  normal users to do this in some way.
+  
+  Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+  Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -848,6 +848,9 @@ mc_msf_out:
+  
+ 		case IP_IPSEC_POLICY:
+ 		case IP_XFRM_POLICY:
++			err = -EPERM;
++			if (!capable(CAP_NET_ADMIN))
++				break;
+ 			err = xfrm_user_policy(sk, optname, optval, optlen);
+ 			break;
+ 
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -504,6 +504,9 @@ done:
+ 		break;
+ 	case IPV6_IPSEC_POLICY:
+ 	case IPV6_XFRM_POLICY:
++		retv = -EPERM;
++		if (!capable(CAP_NET_ADMIN))
++			break;
+ 		retv = xfrm_user_policy(sk, optname, optval, optlen);
+ 		break;
+ 

Modified: trunk/kernel/linux-2.6/debian/patches-debian/series/2.6.12+2.6.13-rc6-1
===================================================================
--- trunk/kernel/linux-2.6/debian/patches-debian/series/2.6.12+2.6.13-rc6-1	2005-08-21 17:44:43 UTC (rev 4006)
+++ trunk/kernel/linux-2.6/debian/patches-debian/series/2.6.12+2.6.13-rc6-1	2005-08-22 05:55:44 UTC (rev 4007)
@@ -19,3 +19,4 @@
 + remove-references-to-removed-drivers.patch
 + sparc64-hme-lockup.patch
 + tty-locking-fixes9.patch
++ net-sockglue-cap.patch


