[openib-general] [PATCH] RDMA CM: only allow privileged access to ports below 1024

[Sean Hefty]

Restrict access to ports below 1024 to privileged users.

Signed-off-by: Sean Hefty <sean.hefty at intel.com>

---

I added the check to the kernel rdma_cm. Does this look right to you?

Index: cma.c
===================================================================
--- cma.c	(revision 6541)
+++ cma.c	(working copy)
@@ -1375,11 +1375,16 @@ static int cma_use_port(struct idr *ps, 
 	struct sockaddr_in *sin, *cur_sin;
 	struct rdma_bind_list *bind_list;
 	struct hlist_node *node;
+	unsigned short snum;
 
 	sin = (struct sockaddr_in *) &id_priv->id.route.addr.src_addr;
-	bind_list = idr_find(ps, ntohs(sin->sin_port));
+	snum = ntohs(sin->sin_port);
+	if (snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+		return -EACCES;
+
+	bind_list = idr_find(ps, snum);
 	if (!bind_list)
-		return cma_alloc_port(ps, id_priv, ntohs(sin->sin_port));
+		return cma_alloc_port(ps, id_priv, snum);
 
 	/*
 	 * We don't support binding to any address if anyone is bound to