Bluetooth: Fix HCI User Channel permission check in hci_sock_sendmsg
authorMarcel Holtmann <marcel@holtmann.org>
Tue, 17 Dec 2013 11:21:25 +0000 (03:21 -0800)
committerJohan Hedberg <johan.hedberg@intel.com>
Tue, 17 Dec 2013 11:47:27 +0000 (13:47 +0200)
commit1bc5ad168f441f6f8bfd944288a5f7b4963ac1f6
tree2cbf8a686a7d16844a32938ee81a09c3846fb572
parentbd0976dd3379e790b031cef7f477c58b82a65fc2
Bluetooth: Fix HCI User Channel permission check in hci_sock_sendmsg

The HCI User Channel is an admin operation which enforces CAP_NET_ADMIN
when binding the socket. Problem now is that it then requires also
CAP_NET_RAW when calling into hci_sock_sendmsg. This is not intended
and just an oversight since general HCI sockets (which do not require
special permission to bind) and HCI User Channel share the same code
path here.

Remove the extra CAP_NET_RAW check for HCI User Channel write operation
since the permission check has already been enforced when binding the
socket. This also makes it possible to open HCI User Channel from a
privileged process and then hand the file descriptor to an unprivilged
process.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Tested-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
net/bluetooth/hci_sock.c