LLC: Restrict LLC sockets to root

Upstream commit: 3480c63bdf008e9289aab94418f43b9592978fff LLC currently allows users to inject raw frames, including IP packets encapsulated in SNAP. While Linux doesn't handle IP over SNAP, other systems do. Restrict LLC sockets to root similar to packet sockets. [ Modified Patrick's patch to use CAP_NEW_RAW --DaveM ] Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
author: Patrick McHardy <kaber@trash.net> 2008-04-06 23:40:33 -0700
committer: Chris Wright <chrisw@sous-sol.org> 2008-04-18 18:53:25 -0700
commit: e982cc89839374bb1a504448401dfafaf772bdbf (patch)
tree: f9356c889e3e2fc0a1333992b7e57f89681c5f44
parent: c6724ce3027b11151d39b4d19b85b9401462eebd (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 46cf962f7f88..8c50eb430c19 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -155,6 +155,9 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol)
 	struct sock *sk;
 	int rc = -ESOCKTNOSUPPORT;
 
+	if (!capable(CAP_NET_RAW))
+		return -EPERM;
+
 	if (net != &init_net)
 		return -EAFNOSUPPORT;
author	Patrick McHardy <kaber@trash.net>	2008-04-06 23:40:33 -0700
committer	Chris Wright <chrisw@sous-sol.org>	2008-04-18 18:53:25 -0700
commit	e982cc89839374bb1a504448401dfafaf772bdbf (patch)
tree	f9356c889e3e2fc0a1333992b7e57f89681c5f44
parent	c6724ce3027b11151d39b4d19b85b9401462eebd (diff)