From: Eyal Birger <eyal.birger@gmail.com>
Date: Wed, 4 May 2022 09:54:59 +0000 (+0300)
Subject: net: align SO_RCVMARK required privileges with SO_MARK
X-Git-Tag: v6.1-rc5~1274^2~182
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1f86123b97491cc2b5071d7f9933f0e91890c976;p=platform%2Fkernel%2Flinux-starfive.git

net: align SO_RCVMARK required privileges with SO_MARK

The commit referenced in the "Fixes" tag added the SO_RCVMARK socket
option for receiving the skb mark in the ancillary data.

Since this is a new capability, and exposes admin configured details
regarding the underlying network setup to sockets, let's align the
needed capabilities with those of SO_MARK.

Fixes: 6fd1d51cfa25 ("net: SO_RCVMARK socket option for SO_MARK with recvmsg()")
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Link: https://lore.kernel.org/r/20220504095459.2663513-1-eyal.birger@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

diff --git a/net/core/sock.c b/net/core/sock.c
index be20a1a..6b287eb 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1315,6 +1315,12 @@ set_sndbuf:
 		__sock_set_mark(sk, val);
 		break;
 	case SO_RCVMARK:
+		if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
+		    !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+			ret = -EPERM;
+			break;
+		}
+
 		sock_valbool_flag(sk, SOCK_RCVMARK, valbool);
 		break;