net: check kern before calling security subsystem Before calling capable(CAP_NET_RAW) check if this operations is on behalf of the kernel or on behalf of userspace. Do not do the security check if it is on behalf of the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: c84b3268da3b85c9d8a9e504e1001a14ed829e94 [log] [tgz]
author: Eric Paris <eparis@redhat.com> Thu Nov 05 20:45:52 2009 -0800
committer: David S. Miller <davem@davemloft.net> Thu Nov 05 22:18:18 2009 -0800
tree: 795b4997f5610cf2e56a57ee5b1e4c2d4ca10188
parent: 3f378b684453f2a028eda463ce383370545d9cc9 [diff] [blame]
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 45ed5e0..12e69d3 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c

@@ -159,7 +159,7 @@
 	}
 
 	err = -EPERM;
-	if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
+	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
 		goto out_rcu_unlock;
 
 	sock->ops = answer->ops;
commit	c84b3268da3b85c9d8a9e504e1001a14ed829e94	[log] [tgz]
author	Eric Paris <eparis@redhat.com>	Thu Nov 05 20:45:52 2009 -0800
committer	David S. Miller <davem@davemloft.net>	Thu Nov 05 22:18:18 2009 -0800
tree	795b4997f5610cf2e56a57ee5b1e4c2d4ca10188
parent	3f378b684453f2a028eda463ce383370545d9cc9 [diff] [blame]