diff options
author | Vincent Bernat <bernat@luffy.cx> | 2013-01-16 22:55:49 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-01-17 09:21:25 +0100 |
commit | d59577b6ffd313d0ab3be39cb1ab47e29bdc9182 (patch) | |
tree | 8e3e40ac4fd723778af191af78e8f40519338709 /arch/sparc/include | |
parent | netpoll: fix a missing dev refcounting (diff) | |
download | linux-d59577b6ffd313d0ab3be39cb1ab47e29bdc9182.tar.xz linux-d59577b6ffd313d0ab3be39cb1ab47e29bdc9182.zip |
sk-filter: Add ability to lock a socket filter program
While a privileged program can open a raw socket, attach some
restrictive filter and drop its privileges (or send the socket to an
unprivileged program through some Unix socket), the filter can still
be removed or modified by the unprivileged program. This commit adds a
socket option to lock the filter (SO_LOCK_FILTER) preventing any
modification of a socket filter program.
This is similar to OpenBSD BIOCLOCK ioctl on bpf sockets, except even
root is not allowed change/drop the filter.
The state of the lock can be read with getsockopt(). No error is
triggered if the state is not changed. -EPERM is returned when a user
tries to remove the lock or to change/remove the filter while the lock
is active. The check is done directly in sk_attach_filter() and
sk_detach_filter() and does not affect only setsockopt() syscall.
Signed-off-by: Vincent Bernat <bernat@luffy.cx>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'arch/sparc/include')
-rw-r--r-- | arch/sparc/include/uapi/asm/socket.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/arch/sparc/include/uapi/asm/socket.h b/arch/sparc/include/uapi/asm/socket.h index c83a937ead00..fbbba57547d1 100644 --- a/arch/sparc/include/uapi/asm/socket.h +++ b/arch/sparc/include/uapi/asm/socket.h @@ -66,6 +66,7 @@ /* Instruct lower device to use last 4-bytes of skb data as FCS */ #define SO_NOFCS 0x0027 +#define SO_LOCK_FILTER 0x0028 /* Security levels - as per NRL IPv6 - don't actually do anything */ #define SO_SECURITY_AUTHENTICATION 0x5001 |