mirror of https://github.com/OpenIPC/firmware.git
29 lines
922 B
Diff
29 lines
922 B
Diff
diff -drupN a/security/commoncap.c b/security/commoncap.c
|
|
--- a/security/commoncap.c 2018-08-06 17:23:04.000000000 +0300
|
|
+++ b/security/commoncap.c 2022-06-12 05:28:14.000000000 +0300
|
|
@@ -31,6 +31,10 @@
|
|
#include <linux/binfmts.h>
|
|
#include <linux/personality.h>
|
|
|
|
+#ifdef CONFIG_ANDROID_PARANOID_NETWORK
|
|
+#include <linux/android_aid.h>
|
|
+#endif
|
|
+
|
|
/*
|
|
* If a non-root user executes a setuid-root binary in
|
|
* !secure(SECURE_NOROOT) mode, then we raise capabilities.
|
|
@@ -73,6 +77,13 @@ int cap_capable(const struct cred *cred,
|
|
{
|
|
struct user_namespace *ns = targ_ns;
|
|
|
|
+#ifdef CONFIG_ANDROID_PARANOID_NETWORK
|
|
+ if (cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW))
|
|
+ return 0;
|
|
+ if (cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN))
|
|
+ return 0;
|
|
+#endif
|
|
+
|
|
/* See if cred has the capability in the target user namespace
|
|
* by examining the target user namespace and all of the target
|
|
* user namespace's parents.
|