Skip to content

Commit

Permalink
[LLC]: Restrict LLC sockets to root
Browse files Browse the repository at this point in the history 
LLC currently allows users to inject raw frames, including IP packets
encapsulated in SNAP. While Linux doesn't handle IP over SNAP, other
systems do. Restrict LLC sockets to root similar to packet sockets.

[ Modified Patrick's patch to use CAP_NEW_RAW --DaveM ]

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Patrick McHardy authored and David S. Miller committed Mar 28, 2008
1 parent 349fb2d commit 3480c63
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions net/llc/af_llc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,9 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol)
struct sock *sk;
int rc = -ESOCKTNOSUPPORT;

if (!capable(CAP_NET_RAW))
return -EPERM;

if (net != &init_net)
return -EAFNOSUPPORT;

Expand Down

0 comments on commit 3480c63

Please sign in to comment.