mirror of https://github.com/OpenIPC/firmware.git
85 lines
2.2 KiB
Diff
85 lines
2.2 KiB
Diff
diff -drupN a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
|
|
--- a/net/ipv6/af_inet6.c 2018-08-06 17:23:04.000000000 +0300
|
|
+++ b/net/ipv6/af_inet6.c 2022-06-12 05:28:14.000000000 +0300
|
|
@@ -65,6 +65,20 @@
|
|
#include <asm/uaccess.h>
|
|
#include <linux/mroute6.h>
|
|
|
|
+#ifdef CONFIG_ANDROID_PARANOID_NETWORK
|
|
+#include <linux/android_aid.h>
|
|
+
|
|
+static inline int current_has_network(void)
|
|
+{
|
|
+ return in_egroup_p(AID_INET) || capable(CAP_NET_RAW);
|
|
+}
|
|
+#else
|
|
+static inline int current_has_network(void)
|
|
+{
|
|
+ return 1;
|
|
+}
|
|
+#endif
|
|
+
|
|
#include "ip6_offload.h"
|
|
|
|
MODULE_AUTHOR("Cast of dozens");
|
|
@@ -121,6 +135,9 @@ static int inet6_create(struct net *net,
|
|
if (protocol < 0 || protocol >= IPPROTO_MAX)
|
|
return -EINVAL;
|
|
|
|
+ if (!current_has_network())
|
|
+ return -EACCES;
|
|
+
|
|
/* Look for the requested type/protocol pair. */
|
|
lookup_protocol:
|
|
err = -ESOCKTNOSUPPORT;
|
|
@@ -167,8 +184,7 @@ lookup_protocol:
|
|
}
|
|
|
|
err = -EPERM;
|
|
- if (sock->type == SOCK_RAW && !kern &&
|
|
- !ns_capable(net->user_ns, CAP_NET_RAW))
|
|
+ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
|
|
goto out_rcu_unlock;
|
|
|
|
sock->ops = answer->ops;
|
|
@@ -680,6 +696,7 @@ int inet6_sk_rebuild_header(struct sock
|
|
fl6.flowi6_mark = sk->sk_mark;
|
|
fl6.fl6_dport = inet->inet_dport;
|
|
fl6.fl6_sport = inet->inet_sport;
|
|
+ fl6.flowi6_uid = sk->sk_uid;
|
|
security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
|
|
|
|
rcu_read_lock();
|
|
@@ -883,16 +900,18 @@ static int __init inet6_init(void)
|
|
if (err)
|
|
goto out_unregister_udplite_proto;
|
|
|
|
+#ifdef CONFIG_IP_PING
|
|
err = proto_register(&pingv6_prot, 1);
|
|
if (err)
|
|
- goto out_unregister_ping_proto;
|
|
+ goto out_unregister_raw_proto;
|
|
+#endif
|
|
|
|
/* We MUST register RAW sockets before we create the ICMP6,
|
|
* IGMP6, or NDISC control sockets.
|
|
*/
|
|
err = rawv6_init();
|
|
if (err)
|
|
- goto out_unregister_raw_proto;
|
|
+ goto out_unregister_ping_proto;
|
|
|
|
/* Register the family here so that the init calls below will
|
|
* be able to create sockets. (?? is this dangerous ??)
|
|
@@ -1056,8 +1075,10 @@ register_pernet_fail:
|
|
out_sock_register_fail:
|
|
rawv6_exit();
|
|
out_unregister_ping_proto:
|
|
+#ifdef CONFIG_IP_PING
|
|
proto_unregister(&pingv6_prot);
|
|
out_unregister_raw_proto:
|
|
+#endif
|
|
proto_unregister(&rawv6_prot);
|
|
out_unregister_udplite_proto:
|
|
proto_unregister(&udplitev6_prot);
|