LLC: Restrict LLC sockets to root

Upstream commit: 3480c63bdf008e9289aab94418f43b9592978fff

LLC currently allows users to inject raw frames, including IP packets
encapsulated in SNAP. While Linux doesn't handle IP over SNAP, other
systems do. Restrict LLC sockets to root similar to packet sockets.

[ Modified Patrick's patch to use CAP_NEW_RAW --DaveM ]

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 46cf962f7f8889f049a3b0406f9f5f3b6c31034c..8c50eb430c19514f1aa811ef77bc6a12c5f7a399 100644 (file)
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -155,6 +155,9 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol)
        struct sock *sk;
        int rc = -ESOCKTNOSUPPORT;
 
+       if (!capable(CAP_NET_RAW))
+               return -EPERM;
+
        if (net != &init_net)
                return -EAFNOSUPPORT;