Browse code
kernels: Fix CVE-2017-8824, CVE-2017-17448, CVE-2017-17450
Update to kernel version 4.9.74 and apply patches on top to fix the
above mentioned CVEs.
Change-Id: Ie5ac5ec5bddd5380d96a0fdb48386522cbe30334
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4581
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Srivatsa S. Bhat authored on 2018/01/03 08:48:52Showing 7 changed files
- SPECS/linux-api-headers/linux-api-headers.spec
- SPECS/linux/dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
- SPECS/linux/linux-esx.spec
- SPECS/linux/linux-secure.spec
- SPECS/linux/linux.spec
- SPECS/linux/netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
- SPECS/linux/netfilter-xt_osf-Add-missing-permission-checks.patch
| ... | ... |
@@ -1,6 +1,6 @@ |
| 1 | 1 |
Summary: Linux API header files |
| 2 | 2 |
Name: linux-api-headers |
| 3 |
-Version: 4.9.71 |
|
| 3 |
+Version: 4.9.74 |
|
| 4 | 4 |
Release: 1%{?dist}
|
| 5 | 5 |
License: GPLv2 |
| 6 | 6 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -8,7 +8,7 @@ Group: System Environment/Kernel |
| 8 | 8 |
Vendor: VMware, Inc. |
| 9 | 9 |
Distribution: Photon |
| 10 | 10 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
|
| 11 |
-%define sha1 linux=837883b228489c9717bce49e021080d94921460b |
|
| 11 |
+%define sha1 linux=b9054174240bc452a9596e59921c93e903fa3d60 |
|
| 12 | 12 |
BuildArch: noarch |
| 13 | 13 |
%description |
| 14 | 14 |
The Linux API Headers expose the kernel's API for use by Glibc. |
| ... | ... |
@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de
|
| 25 | 25 |
%defattr(-,root,root) |
| 26 | 26 |
%{_includedir}/*
|
| 27 | 27 |
%changelog |
| 28 |
+* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-1 |
|
| 29 |
+- Version update |
|
| 28 | 30 |
* Thu Dec 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.71-1 |
| 29 | 31 |
- Version update |
| 30 | 32 |
* Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1 |
| 31 | 33 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,37 @@ |
| 0 |
+commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 |
|
| 1 |
+Author: Mohamed Ghannam <simo.ghannam@gmail.com> |
|
| 2 |
+Date: Tue Dec 5 20:58:35 2017 +0000 |
|
| 3 |
+ |
|
| 4 |
+ dccp: CVE-2017-8824: use-after-free in DCCP code |
|
| 5 |
+ |
|
| 6 |
+ Whenever the sock object is in DCCP_CLOSED state, |
|
| 7 |
+ dccp_disconnect() must free dccps_hc_tx_ccid and |
|
| 8 |
+ dccps_hc_rx_ccid and set to NULL. |
|
| 9 |
+ |
|
| 10 |
+ Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> |
|
| 11 |
+ Reviewed-by: Eric Dumazet <edumazet@google.com> |
|
| 12 |
+ Signed-off-by: David S. Miller <davem@davemloft.net> |
|
| 13 |
+ |
|
| 14 |
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c |
|
| 15 |
+index b68168f..9d43c1f 100644 |
|
| 16 |
+--- a/net/dccp/proto.c |
|
| 17 |
+@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags) |
|
| 18 |
+ {
|
|
| 19 |
+ struct inet_connection_sock *icsk = inet_csk(sk); |
|
| 20 |
+ struct inet_sock *inet = inet_sk(sk); |
|
| 21 |
++ struct dccp_sock *dp = dccp_sk(sk); |
|
| 22 |
+ int err = 0; |
|
| 23 |
+ const int old_state = sk->sk_state; |
|
| 24 |
+ |
|
| 25 |
+@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags) |
|
| 26 |
+ sk->sk_err = ECONNRESET; |
|
| 27 |
+ |
|
| 28 |
+ dccp_clear_xmit_timers(sk); |
|
| 29 |
++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); |
|
| 30 |
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); |
|
| 31 |
++ dp->dccps_hc_rx_ccid = NULL; |
|
| 32 |
++ dp->dccps_hc_tx_ccid = NULL; |
|
| 33 |
+ |
|
| 34 |
+ __skb_queue_purge(&sk->sk_receive_queue); |
|
| 35 |
+ __skb_queue_purge(&sk->sk_write_queue); |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
%global security_hardening none |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-esx |
| 4 |
-Version: 4.9.71 |
|
| 4 |
+Version: 4.9.74 |
|
| 5 | 5 |
Release: 1%{?dist}
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
| 9 | 9 |
Vendor: VMware, Inc. |
| 10 | 10 |
Distribution: Photon |
| 11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
|
| 12 |
-%define sha1 linux=837883b228489c9717bce49e021080d94921460b |
|
| 12 |
+%define sha1 linux=b9054174240bc452a9596e59921c93e903fa3d60 |
|
| 13 | 13 |
Source1: config-esx |
| 14 | 14 |
Source2: initramfs.trigger |
| 15 | 15 |
# common |
| ... | ... |
@@ -40,8 +40,13 @@ Patch22: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.pat |
| 40 | 40 |
Patch23: ACPICA-Namespace-fix-operand-cache-leak.patch |
| 41 | 41 |
# Fix CVE-2017-1000252 |
| 42 | 42 |
Patch24: kvm-dont-accept-wrong-gsi-values.patch |
| 43 |
- |
|
| 44 |
-Patch25: init-do_mounts-recreate-dev-root.patch |
|
| 43 |
+Patch25: init-do_mounts-recreate-dev-root.patch |
|
| 44 |
+# Fix CVE-2017-8824 |
|
| 45 |
+Patch26: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
|
| 46 |
+# Fix CVE-2017-17448 |
|
| 47 |
+Patch27: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
|
| 48 |
+# Fix CVE-2017-17450 |
|
| 49 |
+Patch28: netfilter-xt_osf-Add-missing-permission-checks.patch |
|
| 45 | 50 |
|
| 46 | 51 |
BuildRequires: bc |
| 47 | 52 |
BuildRequires: kbd |
| ... | ... |
@@ -104,6 +109,9 @@ The Linux package contains the Linux kernel doc files |
| 104 | 104 |
%patch23 -p1 |
| 105 | 105 |
%patch24 -p1 |
| 106 | 106 |
%patch25 -p1 |
| 107 |
+%patch26 -p1 |
|
| 108 |
+%patch27 -p1 |
|
| 109 |
+%patch28 -p1 |
|
| 107 | 110 |
|
| 108 | 111 |
%build |
| 109 | 112 |
# patch vmw_balloon driver |
| ... | ... |
@@ -200,6 +208,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 200 | 200 |
/usr/src/linux-headers-%{uname_r}
|
| 201 | 201 |
|
| 202 | 202 |
%changelog |
| 203 |
+* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-1 |
|
| 204 |
+- Version update |
|
| 205 |
+- Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450. |
|
| 203 | 206 |
* Thu Dec 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.71-1 |
| 204 | 207 |
- Version update |
| 205 | 208 |
* Mon Dec 19 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-2 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
%global security_hardening none |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-secure |
| 4 |
-Version: 4.9.71 |
|
| 4 |
+Version: 4.9.74 |
|
| 5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist}
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
| 9 | 9 |
Vendor: VMware, Inc. |
| 10 | 10 |
Distribution: Photon |
| 11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
|
| 12 |
-%define sha1 linux=837883b228489c9717bce49e021080d94921460b |
|
| 12 |
+%define sha1 linux=b9054174240bc452a9596e59921c93e903fa3d60 |
|
| 13 | 13 |
Source1: config-secure |
| 14 | 14 |
Source2: aufs4.9.tar.gz |
| 15 | 15 |
%define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906 |
| ... | ... |
@@ -50,6 +50,13 @@ Patch29: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.pat |
| 50 | 50 |
Patch30: ACPICA-Namespace-fix-operand-cache-leak.patch |
| 51 | 51 |
# Fix CVE-2017-1000252 |
| 52 | 52 |
Patch31: kvm-dont-accept-wrong-gsi-values.patch |
| 53 |
+# Fix CVE-2017-8824 |
|
| 54 |
+Patch32: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
|
| 55 |
+# Fix CVE-2017-17448 |
|
| 56 |
+Patch33: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
|
| 57 |
+# Fix CVE-2017-17450 |
|
| 58 |
+Patch34: netfilter-xt_osf-Add-missing-permission-checks.patch |
|
| 59 |
+ |
|
| 53 | 60 |
# NSX requirements (should be removed) |
| 54 | 61 |
Patch99: LKCM.patch |
| 55 | 62 |
|
| ... | ... |
@@ -158,6 +165,9 @@ EOF |
| 158 | 158 |
%patch29 -p1 |
| 159 | 159 |
%patch30 -p1 |
| 160 | 160 |
%patch31 -p1 |
| 161 |
+%patch32 -p1 |
|
| 162 |
+%patch33 -p1 |
|
| 163 |
+%patch34 -p1 |
|
| 161 | 164 |
|
| 162 | 165 |
pushd .. |
| 163 | 166 |
%patch99 -p0 |
| ... | ... |
@@ -284,6 +294,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 284 | 284 |
/usr/src/linux-headers-%{uname_r}
|
| 285 | 285 |
|
| 286 | 286 |
%changelog |
| 287 |
+* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-1 |
|
| 288 |
+- Version update |
|
| 289 |
+- Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450. |
|
| 287 | 290 |
* Thu Dec 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.71-1 |
| 288 | 291 |
- Version update |
| 289 | 292 |
* Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
%global security_hardening none |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux |
| 4 |
-Version: 4.9.71 |
|
| 4 |
+Version: 4.9.74 |
|
| 5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist}
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
| 9 | 9 |
Vendor: VMware, Inc. |
| 10 | 10 |
Distribution: Photon |
| 11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
|
| 12 |
-%define sha1 linux=837883b228489c9717bce49e021080d94921460b |
|
| 12 |
+%define sha1 linux=b9054174240bc452a9596e59921c93e903fa3d60 |
|
| 13 | 13 |
Source1: config |
| 14 | 14 |
Source2: initramfs.trigger |
| 15 | 15 |
%define ena_version 1.1.3 |
| ... | ... |
@@ -47,6 +47,12 @@ Patch26: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.pat |
| 47 | 47 |
Patch27: ACPICA-Namespace-fix-operand-cache-leak.patch |
| 48 | 48 |
# Fix CVE-2017-1000252 |
| 49 | 49 |
Patch28: kvm-dont-accept-wrong-gsi-values.patch |
| 50 |
+# Fix CVE-2017-8824 |
|
| 51 |
+Patch29: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
|
| 52 |
+# Fix CVE-2017-17448 |
|
| 53 |
+Patch30: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
|
| 54 |
+# Fix CVE-2017-17450 |
|
| 55 |
+Patch31: netfilter-xt_osf-Add-missing-permission-checks.patch |
|
| 50 | 56 |
|
| 51 | 57 |
%if 0%{?kat_build:1}
|
| 52 | 58 |
Patch1000: %{kat_build}.patch
|
| ... | ... |
@@ -146,6 +152,10 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
| 146 | 146 |
%patch26 -p1 |
| 147 | 147 |
%patch27 -p1 |
| 148 | 148 |
%patch28 -p1 |
| 149 |
+%patch29 -p1 |
|
| 150 |
+%patch30 -p1 |
|
| 151 |
+%patch31 -p1 |
|
| 152 |
+ |
|
| 149 | 153 |
%if 0%{?kat_build:1}
|
| 150 | 154 |
%patch1000 -p1 |
| 151 | 155 |
%endif |
| ... | ... |
@@ -312,6 +322,9 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 312 | 312 |
/usr/share/doc/* |
| 313 | 313 |
|
| 314 | 314 |
%changelog |
| 315 |
+* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-1 |
|
| 316 |
+- Version update |
|
| 317 |
+- Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450. |
|
| 315 | 318 |
* Thu Dec 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.71-1 |
| 316 | 319 |
- Version update |
| 317 | 320 |
* Tue Dec 05 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.66-2 |
| 318 | 321 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,73 @@ |
| 0 |
+commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 |
|
| 1 |
+Author: Kevin Cernekee <cernekee@chromium.org> |
|
| 2 |
+Date: Sun Dec 3 12:12:45 2017 -0800 |
|
| 3 |
+ |
|
| 4 |
+ netfilter: nfnetlink_cthelper: Add missing permission checks |
|
| 5 |
+ |
|
| 6 |
+ The capability check in nfnetlink_rcv() verifies that the caller |
|
| 7 |
+ has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. |
|
| 8 |
+ However, nfnl_cthelper_list is shared by all net namespaces on the |
|
| 9 |
+ system. An unprivileged user can create user and net namespaces |
|
| 10 |
+ in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() |
|
| 11 |
+ check: |
|
| 12 |
+ |
|
| 13 |
+ $ nfct helper list |
|
| 14 |
+ nfct v1.4.4: netlink error: Operation not permitted |
|
| 15 |
+ $ vpnns -- nfct helper list |
|
| 16 |
+ {
|
|
| 17 |
+ .name = ftp, |
|
| 18 |
+ .queuenum = 0, |
|
| 19 |
+ .l3protonum = 2, |
|
| 20 |
+ .l4protonum = 6, |
|
| 21 |
+ .priv_data_len = 24, |
|
| 22 |
+ .status = enabled, |
|
| 23 |
+ }; |
|
| 24 |
+ |
|
| 25 |
+ Add capable() checks in nfnetlink_cthelper, as this is cleaner than |
|
| 26 |
+ trying to generalize the solution. |
|
| 27 |
+ |
|
| 28 |
+ Signed-off-by: Kevin Cernekee <cernekee@chromium.org> |
|
| 29 |
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
|
| 30 |
+ |
|
| 31 |
+diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c |
|
| 32 |
+index 41628b3..d33ce6d 100644 |
|
| 33 |
+--- a/net/netfilter/nfnetlink_cthelper.c |
|
| 34 |
+@@ -17,6 +17,7 @@ |
|
| 35 |
+ #include <linux/types.h> |
|
| 36 |
+ #include <linux/list.h> |
|
| 37 |
+ #include <linux/errno.h> |
|
| 38 |
++#include <linux/capability.h> |
|
| 39 |
+ #include <net/netlink.h> |
|
| 40 |
+ #include <net/sock.h> |
|
| 41 |
+ |
|
| 42 |
+@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl, |
|
| 43 |
+ struct nfnl_cthelper *nlcth; |
|
| 44 |
+ int ret = 0; |
|
| 45 |
+ |
|
| 46 |
++ if (!capable(CAP_NET_ADMIN)) |
|
| 47 |
++ return -EPERM; |
|
| 48 |
++ |
|
| 49 |
+ if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) |
|
| 50 |
+ return -EINVAL; |
|
| 51 |
+ |
|
| 52 |
+@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl, |
|
| 53 |
+ struct nfnl_cthelper *nlcth; |
|
| 54 |
+ bool tuple_set = false; |
|
| 55 |
+ |
|
| 56 |
++ if (!capable(CAP_NET_ADMIN)) |
|
| 57 |
++ return -EPERM; |
|
| 58 |
++ |
|
| 59 |
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
|
|
| 60 |
+ struct netlink_dump_control c = {
|
|
| 61 |
+ .dump = nfnl_cthelper_dump_table, |
|
| 62 |
+@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl, |
|
| 63 |
+ struct nfnl_cthelper *nlcth, *n; |
|
| 64 |
+ int j = 0, ret; |
|
| 65 |
+ |
|
| 66 |
++ if (!capable(CAP_NET_ADMIN)) |
|
| 67 |
++ return -EPERM; |
|
| 68 |
++ |
|
| 69 |
+ if (tb[NFCTH_NAME]) |
|
| 70 |
+ helper_name = nla_data(tb[NFCTH_NAME]); |
|
| 71 |
+ |
| 0 | 72 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,55 @@ |
| 0 |
+commit 916a27901de01446bcf57ecca4783f6cff493309 |
|
| 1 |
+Author: Kevin Cernekee <cernekee@chromium.org> |
|
| 2 |
+Date: Tue Dec 5 15:42:41 2017 -0800 |
|
| 3 |
+ |
|
| 4 |
+ netfilter: xt_osf: Add missing permission checks |
|
| 5 |
+ |
|
| 6 |
+ The capability check in nfnetlink_rcv() verifies that the caller |
|
| 7 |
+ has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. |
|
| 8 |
+ However, xt_osf_fingers is shared by all net namespaces on the |
|
| 9 |
+ system. An unprivileged user can create user and net namespaces |
|
| 10 |
+ in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() |
|
| 11 |
+ check: |
|
| 12 |
+ |
|
| 13 |
+ vpnns -- nfnl_osf -f /tmp/pf.os |
|
| 14 |
+ |
|
| 15 |
+ vpnns -- nfnl_osf -f /tmp/pf.os -d |
|
| 16 |
+ |
|
| 17 |
+ These non-root operations successfully modify the systemwide OS |
|
| 18 |
+ fingerprint list. Add new capable() checks so that they can't. |
|
| 19 |
+ |
|
| 20 |
+ Signed-off-by: Kevin Cernekee <cernekee@chromium.org> |
|
| 21 |
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
|
| 22 |
+ |
|
| 23 |
+diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c |
|
| 24 |
+index 36e14b1..a34f314 100644 |
|
| 25 |
+--- a/net/netfilter/xt_osf.c |
|
| 26 |
+@@ -19,6 +19,7 @@ |
|
| 27 |
+ #include <linux/module.h> |
|
| 28 |
+ #include <linux/kernel.h> |
|
| 29 |
+ |
|
| 30 |
++#include <linux/capability.h> |
|
| 31 |
+ #include <linux/if.h> |
|
| 32 |
+ #include <linux/inetdevice.h> |
|
| 33 |
+ #include <linux/ip.h> |
|
| 34 |
+@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl, |
|
| 35 |
+ struct xt_osf_finger *kf = NULL, *sf; |
|
| 36 |
+ int err = 0; |
|
| 37 |
+ |
|
| 38 |
++ if (!capable(CAP_NET_ADMIN)) |
|
| 39 |
++ return -EPERM; |
|
| 40 |
++ |
|
| 41 |
+ if (!osf_attrs[OSF_ATTR_FINGER]) |
|
| 42 |
+ return -EINVAL; |
|
| 43 |
+ |
|
| 44 |
+@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl, |
|
| 45 |
+ struct xt_osf_finger *sf; |
|
| 46 |
+ int err = -ENOENT; |
|
| 47 |
+ |
|
| 48 |
++ if (!capable(CAP_NET_ADMIN)) |
|
| 49 |
++ return -EPERM; |
|
| 50 |
++ |
|
| 51 |
+ if (!osf_attrs[OSF_ATTR_FINGER]) |
|
| 52 |
+ return -EINVAL; |
|
| 53 |
+ |