tproxy: Add missing CAP_NET_ADMIN check to ipv6 side
authorBalazs Scheidler <bazsi@balabit.hu>
Sat, 23 Oct 2010 04:48:14 +0000 (04:48 +0000)
committerDavid S. Miller <davem@davemloft.net>
Sun, 24 Oct 2010 23:07:50 +0000 (16:07 -0700)
IP_TRANSPARENT requires root (more precisely CAP_NET_ADMIN privielges)
for IPV6.

However as I see right now this check was missed from the IPv6
implementation.

Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/ipv6_sockglue.c

index 0553867a317f4466b31df3bd6d2695e180537be9..d1770e061c081de2bed4ad23932ff07291e11a90 100644 (file)
@@ -343,6 +343,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
                break;
 
        case IPV6_TRANSPARENT:
+               if (!capable(CAP_NET_ADMIN)) {
+                       retv = -EPERM;
+                       break;
+               }
                if (optlen < sizeof(int))
                        goto e_inval;
                /* we don't have a separate transparent bit for IPV6 we use the one in the IPv4 socket */