* [RFC PATCH v2] net: Enable some sysctls for the userns root
@ 2021-12-03 9:28 cgel.zte
0 siblings, 0 replies; only message in thread
From: cgel.zte @ 2021-12-03 9:28 UTC (permalink / raw)
To: davem
Cc: xu.xin16, pablo, herbert, horms, netfilter-devel, ebiederm, alex.aring
From: xu xin <xu.xin16@zte.com.cn>
Enabled sysctls include the following changes:
1. net/ipv4/neigh/<if>/*
2. net/ipv6/neigh/<if>/*
3. net/ieee802154/6lowpan/*
4. net/ipv6/route/*
6. net/ipv4/vs/*
7. net/unix/*
8. net/core/xfrm_*
In some scenarios, some userns root have needs to adjust these sysctls
such as sysctls of neighbor in their own netns, but limited just because
they are not init user_ns.
The newly created user namespace OWNS the net namespace, So the root
user inside the user namespace should have rights to access these net
namespace resources.
Signed-off-by: xu xin <xu.xin16@zte.com.cn>
---
net/core/neighbour.c | 4 ----
net/ieee802154/6lowpan/reassembly.c | 4 ----
net/ipv6/route.c | 4 ----
net/netfilter/ipvs/ip_vs_ctl.c | 4 ----
net/netfilter/ipvs/ip_vs_lblc.c | 4 ----
net/netfilter/ipvs/ip_vs_lblcr.c | 3 ---
net/unix/sysctl_net_unix.c | 4 ----
net/xfrm/xfrm_sysctl.c | 4 ----
8 files changed, 31 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 0cdd4d9ad942..44d90cc341ea 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -3771,10 +3771,6 @@ int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p,
neigh_proc_base_reachable_time;
}
- /* Don't export sysctls to unprivileged users */
- if (neigh_parms_net(p)->user_ns != &init_user_ns)
- t->neigh_vars[0].procname = NULL;
-
switch (neigh_parms_family(p)) {
case AF_INET:
p_name = "ipv4";
diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c
index be6f06adefe0..89cbad6d8368 100644
--- a/net/ieee802154/6lowpan/reassembly.c
+++ b/net/ieee802154/6lowpan/reassembly.c
@@ -366,10 +366,6 @@ static int __net_init lowpan_frags_ns_sysctl_register(struct net *net)
GFP_KERNEL);
if (table == NULL)
goto err_alloc;
-
- /* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
- table[0].procname = NULL;
}
table[0].data = &ieee802154_lowpan->fqdir->high_thresh;
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index f0d29fcb2094..6a0b15d6500e 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -6409,10 +6409,6 @@ struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
table[8].data = &net->ipv6.sysctl.ip6_rt_min_advmss;
table[9].data = &net->ipv6.sysctl.ip6_rt_gc_min_interval;
table[10].data = &net->ipv6.sysctl.skip_notify_on_dev_down;
-
- /* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
- table[1].procname = NULL;
}
return table;
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 7f645328b47f..a77c8abf2fc7 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -4040,10 +4040,6 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL);
if (tbl == NULL)
return -ENOMEM;
-
- /* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
- tbl[0].procname = NULL;
} else
tbl = vs_vars;
/* Initialize sysctl defaults */
diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
index 7ac7473e3804..567ba33fa5b4 100644
--- a/net/netfilter/ipvs/ip_vs_lblc.c
+++ b/net/netfilter/ipvs/ip_vs_lblc.c
@@ -561,10 +561,6 @@ static int __net_init __ip_vs_lblc_init(struct net *net)
if (ipvs->lblc_ctl_table == NULL)
return -ENOMEM;
- /* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
- ipvs->lblc_ctl_table[0].procname = NULL;
-
} else
ipvs->lblc_ctl_table = vs_vars_table;
ipvs->sysctl_lblc_expiration = DEFAULT_EXPIRATION;
diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
index 77c323c36a88..a58440a7bf9e 100644
--- a/net/netfilter/ipvs/ip_vs_lblcr.c
+++ b/net/netfilter/ipvs/ip_vs_lblcr.c
@@ -747,9 +747,6 @@ static int __net_init __ip_vs_lblcr_init(struct net *net)
if (ipvs->lblcr_ctl_table == NULL)
return -ENOMEM;
- /* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
- ipvs->lblcr_ctl_table[0].procname = NULL;
} else
ipvs->lblcr_ctl_table = vs_vars_table;
ipvs->sysctl_lblcr_expiration = DEFAULT_EXPIRATION;
diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c
index c09bea89151b..01d44e2598e2 100644
--- a/net/unix/sysctl_net_unix.c
+++ b/net/unix/sysctl_net_unix.c
@@ -30,10 +30,6 @@ int __net_init unix_sysctl_register(struct net *net)
if (table == NULL)
goto err_alloc;
- /* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
- table[0].procname = NULL;
-
table[0].data = &net->unx.sysctl_max_dgram_qlen;
net->unx.ctl = register_net_sysctl(net, "net/unix", table);
if (net->unx.ctl == NULL)
diff --git a/net/xfrm/xfrm_sysctl.c b/net/xfrm/xfrm_sysctl.c
index 0c6c5ef65f9d..a9b7723eb88f 100644
--- a/net/xfrm/xfrm_sysctl.c
+++ b/net/xfrm/xfrm_sysctl.c
@@ -55,10 +55,6 @@ int __net_init xfrm_sysctl_init(struct net *net)
table[2].data = &net->xfrm.sysctl_larval_drop;
table[3].data = &net->xfrm.sysctl_acq_expires;
- /* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
- table[0].procname = NULL;
-
net->xfrm.sysctl_hdr = register_net_sysctl(net, "net/core", table);
if (!net->xfrm.sysctl_hdr)
goto out_register;
--
2.25.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-12-03 9:28 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-03 9:28 [RFC PATCH v2] net: Enable some sysctls for the userns root cgel.zte
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.