Merge branch 'android-4.4' of https://android.googlesource.com/kernel/common

* android-4.4: (475 commits)
  android: base-cfg: Add CONFIG_IP_MULTICAST
  android: recommended.cfg: enable taskstats
  ANDROID: android: base-cfg: disable CONFIG_SYSVIPC
  android: configs: base: enable configfs gadget functions
  android: add CONFIG_DEBUG_RODATA to recommended config
  android: configs: remove CONFIG_BATTERY_ANDROID=y
  android: configs: base: enable IPV6
  android: configs: Enable SELinux and its dependencies.
  android: base-cfg: disable ALARM_DEV
  android: base-cfg: turn off /dev/mem and /dev/kmem
  android: base-cfg: enable ARMV8_DEPRECATED and subfeatures
  android: base-cfg: enforce the needed XFRM_MODE_TUNNEL (for VPN)
  android: base-cfg: disable LOGGER
  android: base-cfg: enable DM_VERITY (used for secureboot)
  android: configs: add systrace support to recommended configs
  android: configs: update 3.10 options
  android: configs: Add CONFIG_NETFILTER_XT_TARGET_IDLETIMER
  android: configs: add IPV6 ROUTE INFO
  android: configs: add TIMER_STATS back, helps with sysrq t.
  android: configs: Add HIDRAW to recommended set
  ...

1 files changed, 6 insertions, 0 deletions

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index f0db770e8b2f..2228a539184a 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1886,6 +1886,12 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
 	int le;
 	int ret;
 
+#ifdef CONFIG_ANDROID_PARANOID_NETWORK
+	if (cmd != TUNGETIFF && !capable(CAP_NET_ADMIN)) {
+		return -EPERM;
+	}
+#endif
+
 	if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) {
 		if (copy_from_user(&ifr, argp, ifreq_len))
 			return -EFAULT;