From f61fd5f77a3322f54ddeee2d902bbb58dfee15f9 Mon Sep 17 00:00:00 2001
From: Daniel Hokka Zakrisson <dhokka@cs.princeton.edu>
Date: Fri, 15 Feb 2008 21:37:16 +0000
Subject: [PATCH] Use the right capability at the right time.

---
 linux-2.6-520-vnet+.patch | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/linux-2.6-520-vnet+.patch b/linux-2.6-520-vnet+.patch
index 6bb2fe487..271729f13 100644
--- a/linux-2.6-520-vnet+.patch
+++ b/linux-2.6-520-vnet+.patch
@@ -719,7 +719,7 @@ diff -Nurp linux-2.6.22-510/net/netfilter/xt_SETXID.c linux-2.6.22-520/net/netfi
 +module_exit(fini);
 diff -Nurp linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/af_packet.c
 --- linux-2.6.22-510/net/packet/af_packet.c	2007-07-22 00:00:27.000000000 +0200
-+++ linux-2.6.22-520/net/packet/af_packet.c	2008-02-15 20:36:45.000000000 +0100
++++ linux-2.6.22-520/net/packet/af_packet.c	2008-02-15 22:28:15.000000000 +0100
 @@ -78,6 +78,7 @@
  #include <linux/poll.h>
  #include <linux/module.h>
@@ -728,7 +728,17 @@ diff -Nurp linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/a
  
  #ifdef CONFIG_INET
  #include <net/inet_common.h>
-@@ -420,6 +421,10 @@ static inline unsigned int run_filter(st
+@@ -324,6 +325,9 @@ static int packet_sendmsg_spkt(struct ki
+ 	__be16 proto=0;
+ 	int err;
+ 
++	if (!nx_capable(CAP_NET_RAW, NXC_RAW_SEND))
++		return -EPERM;
++
+ 	/*
+ 	 *	Get and verify the address.
+ 	 */
+@@ -420,6 +424,10 @@ static inline unsigned int run_filter(st
  				      unsigned int res)
  {
  	struct sk_filter *filter;
@@ -739,12 +749,22 @@ diff -Nurp linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/a
  
  	rcu_read_lock_bh();
  	filter = rcu_dereference(sk->sk_filter);
-@@ -984,7 +989,7 @@ static int packet_create(struct socket *
+@@ -711,6 +719,9 @@ static int packet_sendmsg(struct kiocb *
+ 	unsigned char *addr;
+ 	int ifindex, err, reserve = 0;
+ 
++	if (!nx_capable(CAP_NET_RAW, NXC_RAW_SEND))
++		return -EPERM;
++
+ 	/*
+ 	 *	Get and verify the address.
+ 	 */
+@@ -984,7 +995,7 @@ static int packet_create(struct socket *
  	__be16 proto = (__force __be16)protocol; /* weird, but documented */
  	int err;
  
 -	if (!capable(CAP_NET_RAW))
-+	if (!nx_capable(CAP_NET_RAW, NXC_RAW_SEND))
++	if (!nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET))
  		return -EPERM;
  	if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW &&
  	    sock->type != SOCK_PACKET)
-- 
2.47.0