net: Make CAP_NET_BIND_SERVICE per user namespace

Allow privileged users in any user namespace to bind to
privileged sockets in network namespaces they control.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 4f5f22061e1c54c8c671d5875dcf00c16b73dfa7..24b384b7903ea7a59a11e7a4cbf06db996498924 100644 (file)
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -474,6 +474,7 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        struct sockaddr_in *addr = (struct sockaddr_in *)uaddr;
        struct sock *sk = sock->sk;
        struct inet_sock *inet = inet_sk(sk);
+       struct net *net = sock_net(sk);
        unsigned short snum;
        int chk_addr_ret;
        int err;
@@ -497,7 +498,7 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                        goto out;
        }
 
-       chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr);
+       chk_addr_ret = inet_addr_type(net, addr->sin_addr.s_addr);
 
        /* Not specified by any standard per-se, however it breaks too
         * many applications when removed.  It is unfortunate since
@@ -517,7 +518,8 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 
        snum = ntohs(addr->sin_port);
        err = -EACCES;
-       if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+       if (snum && snum < PROT_SOCK &&
+           !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))
                goto out;
 
        /*      We keep a pair of addresses. rcv_saddr is the one

diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 4b29f6b52c114861dcecb4ea52a4f2600bafca71..b043c60429bd45529111d56893dac55aae91427a 100644 (file)
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -283,7 +283,7 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                return -EINVAL;
 
        snum = ntohs(addr->sin6_port);
-       if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+       if (snum && snum < PROT_SOCK && !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))
                return -EACCES;
 
        lock_sock(sk);

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 15379acd9c08f3394a345b563bd4f76267ad1bea..2e897069310a67676c4e81111a3c662db8bd3abc 100644 (file)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -335,6 +335,7 @@ static struct sctp_af *sctp_sockaddr_af(struct sctp_sock *opt,
 /* Bind a local address either to an endpoint or to an association.  */
 SCTP_STATIC int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len)
 {
+       struct net *net = sock_net(sk);
        struct sctp_sock *sp = sctp_sk(sk);
        struct sctp_endpoint *ep = sp->ep;
        struct sctp_bind_addr *bp = &ep->base.bind_addr;
@@ -378,7 +379,8 @@ SCTP_STATIC int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len)
                }
        }
 
-       if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+       if (snum && snum < PROT_SOCK &&
+           !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))
                return -EACCES;
 
        /* See if the address matches any of the addresses we may have
@@ -1161,7 +1163,7 @@ static int __sctp_connect(struct sock* sk,
                                 * be permitted to open new associations.
                                 */
                                if (ep->base.bind_addr.port < PROT_SOCK &&
-                                   !capable(CAP_NET_BIND_SERVICE)) {
+                                   !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) {
                                        err = -EACCES;
                                        goto out_free;
                                }
@@ -1790,7 +1792,7 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
                         * associations.
                         */
                        if (ep->base.bind_addr.port < PROT_SOCK &&
-                           !capable(CAP_NET_BIND_SERVICE)) {
+                           !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) {
                                err = -EACCES;
                                goto out_unlock;
                        }