On 8/24/16 12:46 AM, Lorenzo Colitti wrote: > This allows a privileged process to filter by socket mark when > dumping sockets via INET_DIAG_BY_FAMILY. This is useful on > systems that use mark-based routing such as Android. > > The ability to filter socket marks requires CAP_NET_ADMIN, which > is consistent with other privileged operations allowed by the > SOCK_DIAG interface such as the ability to destroy sockets and > the ability to inspect BPF filters attached to packet sockets.
sock_diag_destroy already requires ADMIN for destroying sockets, so adding here just prevents listing them. Given that and the fact that the diag API does not pass the mark value is there a reason to add the extra ADMIN check?
