linux-2.6-523-raw-sockets.patch

   1 diff -Nurb linux-2.6.22-510/include/linux/vserver/network.h linux-2.6.22-520/include/linux/vserver/network.h
   2 --- linux-2.6.22-510/include/linux/vserver/network.h    2008-06-06 17:07:48.000000000 -0400
   3 +++ linux-2.6.22-520/include/linux/vserver/network.h    2008-06-06 17:07:56.000000000 -0400
   4 @@ -47,6 +47,8 @@
   5  #define NXC_TUN_CREATE         0x00000001
   6
   7  #define NXC_RAW_ICMP           0x00000100
   8 +#define NXC_RAW_SOCKET         0x00000200
   9 +#define NXC_RAW_SEND           0x00000400
  10
  11
  12  /* address types */
  13 diff -Nurb linux-2.6.22-510/include/net/raw.h linux-2.6.22-520/include/net/raw.h
  14 --- linux-2.6.22-510/include/net/raw.h  2007-07-08 19:32:17.000000000 -0400
  15 +++ linux-2.6.22-520/include/net/raw.h  2008-06-06 17:07:56.000000000 -0400
  16 @@ -36,7 +36,7 @@
  17
  18  extern struct sock *__raw_v4_lookup(struct sock *sk, unsigned short num,
  19                                     __be32 raddr, __be32 laddr,
  20 -                                   int dif);
  21 +                                   int dif, int tag);
  22
  23  extern int raw_v4_input(struct sk_buff *skb, struct iphdr *iph, int hash);
  24
  25 diff -Nurb linux-2.6.22-510/net/core/sock.c linux-2.6.22-520/net/core/sock.c
  26 --- linux-2.6.22-510/net/core/sock.c    2008-06-06 17:07:48.000000000 -0400
  27 +++ linux-2.6.22-520/net/core/sock.c    2008-06-06 17:07:56.000000000 -0400
  28 @@ -444,6 +444,19 @@
  29                 }
  30                 goto set_sndbuf;
  31
  32 +       case SO_SETXID:
  33 +               if (current_vx_info()) {
  34 +                       ret = -EPERM;
  35 +                       break;
  36 +               }
  37 +               if (val < 0 || val > MAX_S_CONTEXT) {
  38 +                       ret = -EINVAL;
  39 +                       break;
  40 +               }
  41 +               sk->sk_xid = val;
  42 +               sk->sk_nid = val;
  43 +               break;
  44 +
  45         case SO_RCVBUF:
  46                 /* Don't error on this BSD doesn't and if you think
  47                    about it this is right. Otherwise apps have to
  48 @@ -573,7 +586,7 @@
  49                 char devname[IFNAMSIZ];
  50
  51                 /* Sorry... */
  52 -               if (!capable(CAP_NET_RAW)) {
  53 +               if (!nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) {
  54                         ret = -EPERM;
  55                         break;
  56                 }
  57 diff -Nurb linux-2.6.22-510/net/ipv4/af_inet.c linux-2.6.22-520/net/ipv4/af_inet.c
  58 --- linux-2.6.22-510/net/ipv4/af_inet.c 2008-06-06 17:07:48.000000000 -0400
  59 +++ linux-2.6.22-520/net/ipv4/af_inet.c 2008-06-06 17:07:56.000000000 -0400
  60 @@ -312,6 +314,9 @@
  61         if ((protocol == IPPROTO_ICMP) &&
  62                 nx_capable(answer->capability, NXC_RAW_ICMP))
  63                 goto override;
  64 +       if (sock->type == SOCK_RAW &&
  65 +               nx_capable(answer->capability, NXC_RAW_SOCKET))
  66 +               goto override;
  67         if (answer->capability > 0 && !capable(answer->capability))
  68                 goto out_rcu_unlock;
  69  override:
  70 diff -Nurb linux-2.6.22-510/net/ipv4/icmp.c linux-2.6.22-520/net/ipv4/icmp.c
  71 --- linux-2.6.22-510/net/ipv4/icmp.c    2008-06-06 17:07:55.000000000 -0400
  72 +++ linux-2.6.22-520/net/ipv4/icmp.c    2008-06-06 17:07:56.000000000 -0400
  73 @@ -709,7 +709,7 @@
  74         if ((raw_sk = sk_head(&raw_v4_htable[hash])) != NULL) {
  75                 while ((raw_sk = __raw_v4_lookup(raw_sk, protocol, iph->daddr,
  76                                                  iph->saddr,
  77 -                                                skb->dev->ifindex)) != NULL) {
  78 +                                                skb->dev->ifindex, skb->skb_tag)) != NULL) {
  79                         raw_err(raw_sk, skb, info);
  80                         raw_sk = sk_next(raw_sk);
  81                         iph = (struct iphdr *)skb->data;
  82 diff -Nurb linux-2.6.22-510/net/ipv4/ip_options.c linux-2.6.22-520/net/ipv4/ip_options.c
  83 --- linux-2.6.22-510/net/ipv4/ip_options.c      2007-07-08 19:32:17.000000000 -0400
  84 +++ linux-2.6.22-520/net/ipv4/ip_options.c      2008-06-06 17:07:56.000000000 -0400
  85 @@ -409,7 +409,7 @@
  86                                         optptr[2] += 8;
  87                                         break;
  88                                       default:
  89 -                                       if (!skb && !capable(CAP_NET_RAW)) {
  90 +                                       if (!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) {
  91                                                 pp_ptr = optptr + 3;
  92                                                 goto error;
  93                                         }
  94 @@ -445,7 +445,7 @@
  95                                 opt->router_alert = optptr - iph;
  96                         break;
  97                       case IPOPT_CIPSO:
  98 -                       if ((!skb && !capable(CAP_NET_RAW)) || opt->cipso) {
  99 +                       if ((!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) || opt->cipso) {
 100                                 pp_ptr = optptr;
 101                                 goto error;
 102                         }
 103 @@ -458,7 +458,7 @@
 104                       case IPOPT_SEC:
 105                       case IPOPT_SID:
 106                       default:
 107 -                       if (!skb && !capable(CAP_NET_RAW)) {
 108 +                       if (!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) {
 109                                 pp_ptr = optptr;
 110                                 goto error;
 111                         }
 112 diff -Nurb linux-2.6.22-510/net/ipv4/raw.c linux-2.6.22-520/net/ipv4/raw.c
 113 --- linux-2.6.22-510/net/ipv4/raw.c     2008-06-06 17:07:48.000000000 -0400
 114 +++ linux-2.6.22-520/net/ipv4/raw.c     2008-06-06 17:07:56.000000000 -0400
 115 @@ -103,7 +103,7 @@
 116
 117  struct sock *__raw_v4_lookup(struct sock *sk, unsigned short num,
 118                              __be32 raddr, __be32 laddr,
 119 -                            int dif)
 120 +                            int dif, int tag)
 121  {
 122         struct hlist_node *node;
 123
 124 @@ -112,6 +112,7 @@
 125
 126                 if (inet->num == num                                    &&
 127                     !(inet->daddr && inet->daddr != raddr)              &&
 128 +                   (!sk->sk_nx_info || tag == 1 || sk->sk_nid == tag)  &&
 129                     v4_sock_addr_match(sk->sk_nx_info, inet, laddr)     &&
 130                     !(sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif))
 131                         goto found; /* gotcha */
 132 @@ -161,7 +162,7 @@
 133                 goto out;
 134         sk = __raw_v4_lookup(__sk_head(head), iph->protocol,
 135                              iph->saddr, iph->daddr,
 136 -                            skb->dev->ifindex);
 137 +                            skb->dev->ifindex, skb->skb_tag);
 138
 139         while (sk) {
 140                 delivered = 1;
 141 @@ -174,7 +175,7 @@
 142                 }
 143                 sk = __raw_v4_lookup(sk_next(sk), iph->protocol,
 144                                      iph->saddr, iph->daddr,
 145 -                                    skb->dev->ifindex);
 146 +                                    skb->dev->ifindex, skb->skb_tag);
 147         }
 148  out:
 149         read_unlock(&raw_v4_lock);
 150 @@ -315,7 +316,7 @@
 151         }
 152
 153         err = -EPERM;
 154 -       if (!nx_check(0, VS_ADMIN) && !capable(CAP_NET_RAW) &&
 155 +       if (!nx_check(0, VS_ADMIN) && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET) &&
 156                 sk->sk_nx_info &&
 157                 !v4_addr_in_nx_info(sk->sk_nx_info, iph->saddr, NXA_MASK_BIND))
 158                 goto error_free;
 159
 160