summaryrefslogtreecommitdiffstats
path: root/sys/netinet/raw_ip.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet/raw_ip.c')
-rw-r--r--sys/netinet/raw_ip.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index f8796f1..96e9b0a 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -344,6 +344,16 @@ rip_ctloutput(struct socket *so, struct sockopt *sopt)
if (sopt->sopt_level != IPPROTO_IP)
return (EINVAL);
+ /*
+ * Even though super-user is required to create a raw socket, the
+ * calling cred could be prison root. If so we want to restrict the
+ * access to IP_HDRINCL only.
+ */
+ if (sopt->sopt_name != IP_HDRINCL) {
+ error = suser(curthread);
+ if (error != 0)
+ return (error);
+ }
error = 0;
switch (sopt->sopt_dir) {
OpenPOWER on IntegriCloud