Restrict access to ports below 1024 to privileged users.
Signed-off-by: Sean Hefty <[EMAIL PROTECTED]>
---
I added the check to the kernel rdma_cm. Does this look right to you?
Index: cma.c
===================================================================
--- cma.c (revision 6541)
+++ cma.c (working copy)
@@ -1375,11 +1375,16 @@ static int cma_use_port(struct idr *ps,
struct sockaddr_in *sin, *cur_sin;
struct rdma_bind_list *bind_list;
struct hlist_node *node;
+ unsigned short snum;
sin = (struct sockaddr_in *) &id_priv->id.route.addr.src_addr;
- bind_list = idr_find(ps, ntohs(sin->sin_port));
+ snum = ntohs(sin->sin_port);
+ if (snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+ return -EACCES;
+
+ bind_list = idr_find(ps, snum);
if (!bind_list)
- return cma_alloc_port(ps, id_priv, ntohs(sin->sin_port));
+ return cma_alloc_port(ps, id_priv, snum);
/*
* We don't support binding to any address if anyone is bound to
_______________________________________________
openib-general mailing list
[email protected]
http://openib.org/mailman/listinfo/openib-general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
