diff options
| author | Chia-chi Yeh <chiachi@android.com> | 2009-06-19 07:15:05 +0800 |
|---|---|---|
| committer | Colin Cross <ccross@android.com> | 2012-04-09 13:57:47 -0700 |
| commit | 0432013eb1fbddf51f43d3dfb7553db011c81707 (patch) | |
| tree | b6600e6562949114ccb4ca32f5fec339738a9340 /security | |
| parent | c54f674c656d66a27f555bdc85e122808f65d119 (diff) | |
| download | panda-0432013eb1fbddf51f43d3dfb7553db011c81707.tar.gz | |
security: Add AID_NET_RAW and AID_NET_ADMIN capability check in cap_capable().
Signed-off-by: Chia-chi Yeh <chiachi@android.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/commoncap.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 0cf4b53480a..5cbb55ec6e4 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -30,6 +30,10 @@ #include <linux/user_namespace.h> #include <linux/binfmts.h> +#ifdef CONFIG_ANDROID_PARANOID_NETWORK +#include <linux/android_aid.h> +#endif + /* * If a non-root user executes a setuid-root binary in * !secure(SECURE_NOROOT) mode, then we raise capabilities. @@ -75,6 +79,11 @@ int cap_netlink_send(struct sock *sk, struct sk_buff *skb) int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, int cap, int audit) { + if (cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW)) + return 0; + if (cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN)) + return 0; + for (;;) { /* The creator of the user namespace has all caps. */ if (targ_ns != &init_user_ns && targ_ns->creator == cred->user) |