-
Notifications
You must be signed in to change notification settings - Fork 0
/
linux-2.6-523-raw-sockets.patch
145 lines (133 loc) · 5.64 KB
/
linux-2.6-523-raw-sockets.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/include/linux/vserver/network.h linux-2.6.27.10-vs2.3.x-PS-522-523/include/linux/vserver/network.h
--- linux-2.6.27.10-vs2.3.x-PS-522/include/linux/vserver/network.h 2008-10-13 14:54:20.000000000 +0200
+++ linux-2.6.27.10-vs2.3.x-PS-522-523/include/linux/vserver/network.h 2009-01-21 03:22:02.000000000 +0100
@@ -47,6 +47,8 @@ static inline uint64_t __nxf_init_set(vo
#define NXC_TUN_CREATE 0x00000001
#define NXC_RAW_ICMP 0x00000100
+#define NXC_RAW_SOCKET 0x00000200
+#define NXC_RAW_SEND 0x00000400
/* address types */
diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/core/sock.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/core/sock.c
--- linux-2.6.27.10-vs2.3.x-PS-522/net/core/sock.c 2008-10-13 14:54:20.000000000 +0200
+++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/core/sock.c 2009-01-21 03:27:01.000000000 +0100
@@ -381,7 +381,7 @@ static int sock_bindtodevice(struct sock
/* Sorry... */
ret = -EPERM;
- if (!capable(CAP_NET_RAW))
+ if (!nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET))
goto out;
ret = -EINVAL;
@@ -515,6 +515,19 @@ set_sndbuf:
}
goto set_sndbuf;
+ case SO_SETXID:
+ if (current_vx_info()) {
+ ret = -EPERM;
+ break;
+ }
+ if (val < 0 || val > MAX_S_CONTEXT) {
+ ret = -EINVAL;
+ break;
+ }
+ sk->sk_xid = val;
+ sk->sk_nid = val;
+ break;
+
case SO_RCVBUF:
/* Don't error on this BSD doesn't and if you think
about it this is right. Otherwise apps have to
diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/af_inet.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/af_inet.c
--- linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/af_inet.c 2009-01-21 03:12:46.000000000 +0100
+++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/af_inet.c 2009-01-21 03:22:02.000000000 +0100
@@ -331,6 +331,9 @@ lookup_protocol:
if ((protocol == IPPROTO_ICMP) &&
nx_capable(answer->capability, NXC_RAW_ICMP))
goto override;
+ if (sock->type == SOCK_RAW &&
+ nx_capable(answer->capability, NXC_RAW_SOCKET))
+ goto override;
if (answer->capability > 0 && !capable(answer->capability))
goto out_rcu_unlock;
override:
diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/ip_options.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/ip_options.c
--- linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/ip_options.c 2008-10-13 14:52:09.000000000 +0200
+++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/ip_options.c 2009-01-21 03:22:02.000000000 +0100
@@ -397,7 +397,7 @@ int ip_options_compile(struct net *net,
optptr[2] += 8;
break;
default:
- if (!skb && !capable(CAP_NET_RAW)) {
+ if (!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) {
pp_ptr = optptr + 3;
goto error;
}
@@ -433,7 +433,7 @@ int ip_options_compile(struct net *net,
opt->router_alert = optptr - iph;
break;
case IPOPT_CIPSO:
- if ((!skb && !capable(CAP_NET_RAW)) || opt->cipso) {
+ if ((!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) || opt->cipso) {
pp_ptr = optptr;
goto error;
}
@@ -446,7 +446,7 @@ int ip_options_compile(struct net *net,
case IPOPT_SEC:
case IPOPT_SID:
default:
- if (!skb && !capable(CAP_NET_RAW)) {
+ if (!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) {
pp_ptr = optptr;
goto error;
}
diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/raw.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/raw.c
--- linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/raw.c 2008-10-13 14:54:20.000000000 +0200
+++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/raw.c 2009-01-21 03:26:02.000000000 +0100
@@ -108,7 +108,7 @@ void raw_unhash_sk(struct sock *sk)
EXPORT_SYMBOL_GPL(raw_unhash_sk);
static struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
- unsigned short num, __be32 raddr, __be32 laddr, int dif)
+ unsigned short num, __be32 raddr, __be32 laddr, int dif, int tag)
{
struct hlist_node *node;
@@ -117,6 +117,7 @@ static struct sock *__raw_v4_lookup(stru
if (net_eq(sock_net(sk), net) && inet->num == num &&
!(inet->daddr && inet->daddr != raddr) &&
+ (!sk->sk_nx_info || tag == 1 || sk->sk_nid == tag) &&
v4_sock_addr_match(sk->sk_nx_info, inet, laddr) &&
!(sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif))
goto found; /* gotcha */
@@ -169,7 +170,7 @@ static int raw_v4_input(struct sk_buff *
net = dev_net(skb->dev);
sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol,
iph->saddr, iph->daddr,
- skb->dev->ifindex);
+ skb->dev->ifindex, skb->skb_tag);
while (sk) {
delivered = 1;
@@ -182,7 +183,7 @@ static int raw_v4_input(struct sk_buff *
}
sk = __raw_v4_lookup(net, sk_next(sk), iph->protocol,
iph->saddr, iph->daddr,
- skb->dev->ifindex);
+ skb->dev->ifindex, skb->skb_tag);
}
out:
read_unlock(&raw_v4_hashinfo.lock);
@@ -277,8 +278,8 @@ void raw_icmp_error(struct sk_buff *skb,
net = dev_net(skb->dev);
while ((raw_sk = __raw_v4_lookup(net, raw_sk, protocol,
- iph->daddr, iph->saddr,
- skb->dev->ifindex)) != NULL) {
+ iph->daddr, iph->saddr, skb->dev->ifindex,
+ skb->skb_tag)) != NULL) {
raw_err(raw_sk, skb, info);
raw_sk = sk_next(raw_sk);
iph = (struct iphdr *)skb->data;
@@ -373,7 +374,7 @@ static int raw_send_hdrinc(struct sock *
skb_transport_header(skb))->type);
err = -EPERM;
- if (!nx_check(0, VS_ADMIN) && !capable(CAP_NET_RAW) &&
+ if (!nx_check(0, VS_ADMIN) && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET) &&
sk->sk_nx_info &&
!v4_addr_in_nx_info(sk->sk_nx_info, iph->saddr, NXA_MASK_BIND))
goto error_free;