• Maciej Żenczykowski's avatar
    net: allow CAP_NET_RAW to setsockopt SO_PRIORITY · a1b519b7
    Maciej Żenczykowski authored
    CAP_NET_ADMIN is and should continue to be about configuring the
    system as a whole, not about configuring per-socket or per-packet
    parameters.
    Sending and receiving raw packets is what CAP_NET_RAW is all about.
    
    It can already send packets with any VLAN tag, and any IPv4 TOS
    mark, and any IPv6 TCLASS mark, simply by virtue of building
    such a raw packet.  Not to mention using any protocol and source/
    /destination ip address/port tuple.
    
    These are the fields that networking gear uses to prioritize packets.
    
    Hence, a CAP_NET_RAW process is already capable of affecting traffic
    prioritization after it hits the wire.  This change makes it capable
    of affecting traffic prioritization even in the host at the nic and
    before that in the queueing disciplines (provided skb->priority is
    actually being used for prioritization, and not the TOS/TCLASS field)
    
    Hence it makes sense to allow a CAP_NET_RAW process to set the
    priority of sockets and thus packets it sends.
    Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
    Link: https://lore.kernel.org/r/20211123203702.193221-1-zenczykowski@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
    a1b519b7
sock.c 93.2 KB