diff --git a/include/net/ip.h b/include/net/ip.h index cebf3e10def1..5a61bd948b18 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -351,9 +351,9 @@ static inline bool sysctl_dev_name_is_allowed(const char *name) return strcmp(name, "default") != 0 && strcmp(name, "all") != 0; } -static inline int inet_prot_sock(struct net *net) +static inline bool inet_port_requires_bind_service(struct net *net, unsigned short port) { - return net->ipv4.sysctl_ip_prot_sock; + return port < net->ipv4.sysctl_ip_prot_sock; } #else @@ -362,9 +362,9 @@ static inline bool inet_is_local_reserved_port(struct net *net, int port) return false; } -static inline int inet_prot_sock(struct net *net) +static inline bool inet_port_requires_bind_service(struct net *net, unsigned short port) { - return PROT_SOCK; + return port < PROT_SOCK; } #endif diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 53de8e00990e..2fe295432c24 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -495,7 +495,7 @@ int __inet_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len, snum = ntohs(addr->sin_port); err = -EACCES; - if (snum && snum < inet_prot_sock(net) && + if (snum && inet_port_requires_bind_service(net, snum) && !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) goto out; diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index ef37e0574f54..60e2ff91a5b3 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -292,7 +292,7 @@ static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len, return -EINVAL; snum = ntohs(addr->sin6_port); - if (snum && snum < inet_prot_sock(net) && + if (snum && inet_port_requires_bind_service(net, snum) && !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) return -EACCES; diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 3be7398901e0..8d14a1acbc37 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -423,7 +423,7 @@ ip_vs_service_find(struct netns_ipvs *ipvs, int af, __u32 fwmark, __u16 protocol if (!svc && protocol == IPPROTO_TCP && atomic_read(&ipvs->ftpsvc_counter) && - (vport == FTPDATA || ntohs(vport) >= inet_prot_sock(ipvs->net))) { + (vport == FTPDATA || !inet_port_requires_bind_service(ipvs->net, ntohs(vport)))) { /* * Check if ftp service entry exists, the packet * might belong to FTP data connections. diff --git a/net/sctp/socket.c b/net/sctp/socket.c index e4c398db07a0..0b485952a71c 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -384,7 +384,7 @@ static int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len) } } - if (snum && snum < inet_prot_sock(net) && + if (snum && inet_port_requires_bind_service(net, snum) && !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) return -EACCES; @@ -1061,7 +1061,7 @@ static int sctp_connect_new_asoc(struct sctp_endpoint *ep, if (sctp_autobind(sk)) return -EAGAIN; } else { - if (ep->base.bind_addr.port < inet_prot_sock(net) && + if (inet_port_requires_bind_service(net, ep->base.bind_addr.port) && !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) return -EACCES; } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9625b99e677f..753b327f4806 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4623,8 +4623,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in inet_get_local_port_range(sock_net(sk), &low, &high); - if (snum < max(inet_prot_sock(sock_net(sk)), low) || - snum > high) { + if (inet_port_requires_bind_service(sock_net(sk), snum) || + snum < low || snum > high) { err = sel_netport_sid(sk->sk_protocol, snum, &sid); if (err)