From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756970Ab1LNKqK (ORCPT ); Wed, 14 Dec 2011 05:46:10 -0500 Received: from mailhub.sw.ru ([195.214.232.25]:28030 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756949Ab1LNKqH (ORCPT ); Wed, 14 Dec 2011 05:46:07 -0500 Subject: [PATCH 10/11] SUNRPC: allow debug flags modifications only from init_net To: Trond.Myklebust@netapp.com From: Stanislav Kinsbursky Cc: linux-nfs@vger.kernel.org, xemul@parallels.com, neilb@suse.de, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, jbottomley@parallels.com, bfields@fieldses.org, davem@davemloft.net, devel@openvz.org Date: Wed, 14 Dec 2011 14:46:02 +0300 Message-ID: <20111214104602.3991.91169.stgit@localhost6.localdomain6> In-Reply-To: <20111214103602.3991.20990.stgit@localhost6.localdomain6> References: <20111214103602.3991.20990.stgit@localhost6.localdomain6> User-Agent: StGit/0.15 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Debug flags are global (i.e. fo all namespaces). So probably, it is better to restrict write access and allow it only to processes with "init_net" network namespace. Signed-off-by: Stanislav Kinsbursky --- net/sunrpc/sysctl.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/net/sunrpc/sysctl.c b/net/sunrpc/sysctl.c index eda80cf..224b075 100644 --- a/net/sunrpc/sysctl.c +++ b/net/sunrpc/sysctl.c @@ -156,7 +156,8 @@ proc_dodebug(ctl_table *table, int write, return -EINVAL; while (left && isspace(*s)) left--, s++; - *(unsigned int *) table->data = value; + if (net_eq(current->nsproxy->net_ns, &init_net)) + *(unsigned int *) table->data = value; /* Display the RPC tasks on writing to rpc_debug */ if (strcmp(table->procname, "rpc_debug") == 0) rpc_show_tasks(&init_net);