linux-2.6-523-raw-sockets.patch

   1 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/include/linux/vserver/network.h linux-2.6.27.10-vs2.3.x-PS-522-523/include/linux/vserver/network.h
   2 --- linux-2.6.27.10-vs2.3.x-PS-522/include/linux/vserver/network.h      2008-10-13 14:54:20.000000000 +0200
   3 +++ linux-2.6.27.10-vs2.3.x-PS-522-523/include/linux/vserver/network.h  2009-01-21 03:22:02.000000000 +0100
   4 @@ -47,6 +47,8 @@ static inline uint64_t __nxf_init_set(vo
   5  #define NXC_TUN_CREATE         0x00000001
   6
   7  #define NXC_RAW_ICMP           0x00000100
   8 +#define NXC_RAW_SOCKET         0x00000200
   9 +#define NXC_RAW_SEND           0x00000400
  10
  11
  12  /* address types */
  13 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/core/sock.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/core/sock.c
  14 --- linux-2.6.27.10-vs2.3.x-PS-522/net/core/sock.c      2008-10-13 14:54:20.000000000 +0200
  15 +++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/core/sock.c  2009-01-21 03:27:01.000000000 +0100
  16 @@ -381,7 +381,7 @@ static int sock_bindtodevice(struct sock
  17
  18         /* Sorry... */
  19         ret = -EPERM;
  20 -       if (!capable(CAP_NET_RAW))
  21 +       if (!nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET))
  22                 goto out;
  23
  24         ret = -EINVAL;
  25 @@ -515,6 +515,19 @@ set_sndbuf:
  26                 }
  27                 goto set_sndbuf;
  28
  29 +       case SO_SETXID:
  30 +               if (current_vx_info()) {
  31 +                       ret = -EPERM;
  32 +                       break;
  33 +               }
  34 +               if (val < 0 || val > MAX_S_CONTEXT) {
  35 +                       ret = -EINVAL;
  36 +                       break;
  37 +               }
  38 +               sk->sk_xid = val;
  39 +               sk->sk_nid = val;
  40 +               break;
  41 +
  42         case SO_RCVBUF:
  43                 /* Don't error on this BSD doesn't and if you think
  44                    about it this is right. Otherwise apps have to
  45 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/af_inet.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/af_inet.c
  46 --- linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/af_inet.c   2009-01-21 03:12:46.000000000 +0100
  47 +++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/af_inet.c       2009-01-21 03:22:02.000000000 +0100
  48 @@ -331,6 +331,9 @@ lookup_protocol:
  49         if ((protocol == IPPROTO_ICMP) &&
  50                 nx_capable(answer->capability, NXC_RAW_ICMP))
  51                 goto override;
  52 +       if (sock->type == SOCK_RAW &&
  53 +               nx_capable(answer->capability, NXC_RAW_SOCKET))
  54 +               goto override;
  55         if (answer->capability > 0 && !capable(answer->capability))
  56                 goto out_rcu_unlock;
  57  override:
  58 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/ip_options.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/ip_options.c
  59 --- linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/ip_options.c        2008-10-13 14:52:09.000000000 +0200
  60 +++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/ip_options.c    2009-01-21 03:22:02.000000000 +0100
  61 @@ -397,7 +397,7 @@ int ip_options_compile(struct net *net,
  62                                         optptr[2] += 8;
  63                                         break;
  64                                       default:
  65 -                                       if (!skb && !capable(CAP_NET_RAW)) {
  66 +                                       if (!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) {
  67                                                 pp_ptr = optptr + 3;
  68                                                 goto error;
  69                                         }
  70 @@ -433,7 +433,7 @@ int ip_options_compile(struct net *net,
  71                                 opt->router_alert = optptr - iph;
  72                         break;
  73                       case IPOPT_CIPSO:
  74 -                       if ((!skb && !capable(CAP_NET_RAW)) || opt->cipso) {
  75 +                       if ((!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) || opt->cipso) {
  76                                 pp_ptr = optptr;
  77                                 goto error;
  78                         }
  79 @@ -446,7 +446,7 @@ int ip_options_compile(struct net *net,
  80                       case IPOPT_SEC:
  81                       case IPOPT_SID:
  82                       default:
  83 -                       if (!skb && !capable(CAP_NET_RAW)) {
  84 +                       if (!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) {
  85                                 pp_ptr = optptr;
  86                                 goto error;
  87                         }
  88 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/raw.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/raw.c
  89 --- linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/raw.c       2008-10-13 14:54:20.000000000 +0200
  90 +++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/raw.c   2009-01-21 03:26:02.000000000 +0100
  91 @@ -108,7 +108,7 @@ void raw_unhash_sk(struct sock *sk)
  92  EXPORT_SYMBOL_GPL(raw_unhash_sk);
  93
  94  static struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
  95 -               unsigned short num, __be32 raddr, __be32 laddr, int dif)
  96 +               unsigned short num, __be32 raddr, __be32 laddr, int dif, int tag)
  97  {
  98         struct hlist_node *node;
  99
 100 @@ -117,6 +117,7 @@ static struct sock *__raw_v4_lookup(stru
 101
 102                 if (net_eq(sock_net(sk), net) && inet->num == num       &&
 103                     !(inet->daddr && inet->daddr != raddr)              &&
 104 +                   (!sk->sk_nx_info || tag == 1 || sk->sk_nid == tag)  &&
 105                     v4_sock_addr_match(sk->sk_nx_info, inet, laddr)     &&
 106                     !(sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif))
 107                         goto found; /* gotcha */
 108 @@ -169,7 +170,7 @@ static int raw_v4_input(struct sk_buff *
 109         net = dev_net(skb->dev);
 110         sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol,
 111                              iph->saddr, iph->daddr,
 112 -                            skb->dev->ifindex);
 113 +                            skb->dev->ifindex, skb->skb_tag);
 114
 115         while (sk) {
 116                 delivered = 1;
 117 @@ -182,7 +183,7 @@ static int raw_v4_input(struct sk_buff *
 118                 }
 119                 sk = __raw_v4_lookup(net, sk_next(sk), iph->protocol,
 120                                      iph->saddr, iph->daddr,
 121 -                                    skb->dev->ifindex);
 122 +                                    skb->dev->ifindex, skb->skb_tag);
 123         }
 124  out:
 125         read_unlock(&raw_v4_hashinfo.lock);
 126 @@ -277,8 +278,8 @@ void raw_icmp_error(struct sk_buff *skb,
 127                 net = dev_net(skb->dev);
 128
 129                 while ((raw_sk = __raw_v4_lookup(net, raw_sk, protocol,
 130 -                                               iph->daddr, iph->saddr,
 131 -                                               skb->dev->ifindex)) != NULL) {
 132 +                       iph->daddr, iph->saddr, skb->dev->ifindex,
 133 +                       skb->skb_tag)) != NULL) {
 134                         raw_err(raw_sk, skb, info);
 135                         raw_sk = sk_next(raw_sk);
 136                         iph = (struct iphdr *)skb->data;
 137 @@ -373,7 +374,7 @@ static int raw_send_hdrinc(struct sock *
 138                         skb_transport_header(skb))->type);
 139
 140         err = -EPERM;
 141 -       if (!nx_check(0, VS_ADMIN) && !capable(CAP_NET_RAW) &&
 142 +       if (!nx_check(0, VS_ADMIN) && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET) &&
 143                 sk->sk_nx_info &&
 144                 !v4_addr_in_nx_info(sk->sk_nx_info, iph->saddr, NXA_MASK_BIND))
 145                 goto error_free;