diff -drupN a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c --- a/net/ipv6/af_inet6.c 2018-08-06 17:23:04.000000000 +0300 +++ b/net/ipv6/af_inet6.c 2022-06-12 05:28:14.000000000 +0300 @@ -65,6 +65,20 @@ #include #include +#ifdef CONFIG_ANDROID_PARANOID_NETWORK +#include + +static inline int current_has_network(void) +{ + return in_egroup_p(AID_INET) || capable(CAP_NET_RAW); +} +#else +static inline int current_has_network(void) +{ + return 1; +} +#endif + #include "ip6_offload.h" MODULE_AUTHOR("Cast of dozens"); @@ -121,6 +135,9 @@ static int inet6_create(struct net *net, if (protocol < 0 || protocol >= IPPROTO_MAX) return -EINVAL; + if (!current_has_network()) + return -EACCES; + /* Look for the requested type/protocol pair. */ lookup_protocol: err = -ESOCKTNOSUPPORT; @@ -167,8 +184,7 @@ lookup_protocol: } err = -EPERM; - if (sock->type == SOCK_RAW && !kern && - !ns_capable(net->user_ns, CAP_NET_RAW)) + if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) goto out_rcu_unlock; sock->ops = answer->ops; @@ -680,6 +696,7 @@ int inet6_sk_rebuild_header(struct sock fl6.flowi6_mark = sk->sk_mark; fl6.fl6_dport = inet->inet_dport; fl6.fl6_sport = inet->inet_sport; + fl6.flowi6_uid = sk->sk_uid; security_sk_classify_flow(sk, flowi6_to_flowi(&fl6)); rcu_read_lock(); @@ -883,16 +900,18 @@ static int __init inet6_init(void) if (err) goto out_unregister_udplite_proto; +#ifdef CONFIG_IP_PING err = proto_register(&pingv6_prot, 1); if (err) - goto out_unregister_ping_proto; + goto out_unregister_raw_proto; +#endif /* We MUST register RAW sockets before we create the ICMP6, * IGMP6, or NDISC control sockets. */ err = rawv6_init(); if (err) - goto out_unregister_raw_proto; + goto out_unregister_ping_proto; /* Register the family here so that the init calls below will * be able to create sockets. (?? is this dangerous ??) @@ -1056,8 +1075,10 @@ register_pernet_fail: out_sock_register_fail: rawv6_exit(); out_unregister_ping_proto: +#ifdef CONFIG_IP_PING proto_unregister(&pingv6_prot); out_unregister_raw_proto: +#endif proto_unregister(&rawv6_prot); out_unregister_udplite_proto: proto_unregister(&udplitev6_prot);