diff options
| author | Vivien Bernet-Rollande <vbr@soprive.net> | 2010-09-16 10:56:55 -0700 |
|---|---|---|
| committer | Jesse Gross <jesse@nicira.com> | 2010-09-16 10:58:40 -0700 |
| commit | bbf4f269a391724d886f66b3661b10e5a434e2e8 (patch) | |
| tree | 7d77af98bc957d6fbb67e2d6122dd053b16b1188 /datapath/brcompat.c | |
| parent | 8ba1fd2fb9eb616ec028027e303c1664185c88e7 (diff) | |
brcompat_mod: Check if user has CAP_NET_ADMIN in ioctl handler
This patch checks that the user calling ioctl() to create, delete, or
modify bridges has the CAP_NET_ADMIN capability. This prevents
unpriviledged users from modifying the bridge configuration through
brcompatd. The checks are actually the same performed in
net/bridge/br_ioctl.c by the Linux kernel.
Signed-off-by: Vivien Bernet-Rollande <vbr@soprive.net>
Signed-off-by: Jesse Gross <jesse@nicira.com>
Diffstat (limited to 'datapath/brcompat.c')
| -rw-r--r-- | datapath/brcompat.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/datapath/brcompat.c b/datapath/brcompat.c index 3e840115..2113eae0 100644 --- a/datapath/brcompat.c +++ b/datapath/brcompat.c @@ -84,6 +84,9 @@ static int brc_add_del_bridge(char __user *uname, int add) struct sk_buff *request; char name[IFNAMSIZ]; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (copy_from_user(name, uname, IFNAMSIZ)) return -EFAULT; @@ -196,6 +199,9 @@ static int brc_add_del_port(struct net_device *dev, int port_ifindex, int add) struct net_device *port; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + port = __dev_get_by_index(&init_net, port_ifindex); if (!port) return -EINVAL; |