From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 512FFC49EAB for ; Mon, 28 Jun 2021 12:17:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3873861C3D for ; Mon, 28 Jun 2021 12:17:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232992AbhF1MUC (ORCPT ); Mon, 28 Jun 2021 08:20:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:60106 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232802AbhF1MT7 (ORCPT ); Mon, 28 Jun 2021 08:19:59 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id F216561C3D; Mon, 28 Jun 2021 12:17:31 +0000 (UTC) Date: Mon, 28 Jun 2021 14:17:29 +0200 From: Christian Brauner To: menglong8.dong@gmail.com Cc: mcgrof@kernel.org, keescook@chromium.org, yzaikin@google.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Yang Yang , Zeal Robot Subject: Re: [PATCH] sysctl: fix permission check while owner isn't GLOBAL_ROOT_UID Message-ID: <20210628121729.xsbm63b5lxpsvhbu@wittgenstein> References: <20210625083338.384184-1-yang.yang29@zte.com.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20210625083338.384184-1-yang.yang29@zte.com.cn> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 25, 2021 at 01:33:38AM -0700, menglong8.dong@gmail.com wrote: > From: Yang Yang > > With user namespace enabled, root in container can't modify > /proc/sys/net/ipv4/ip_forward. While /proc/sys/net/ipv4/ip_forward > belongs to root and mode is 644. Since root in container may > be non-root in host, but test_perm() doesn't consider about it. I'm confused about what the actual problem is tbh: root@h3:~# stat -c "%A %a %n" /proc/sys/net/ipv4/ip_forward -rw-r--r-- 644 /proc/sys/net/ipv4/ip_forward root@h3:~# echo 0 > /proc/sys/net/ipv4/ip_forward root@h3:~# cat /proc/sys/net/ipv4/ip_forward 0 root@h3:~# cat /proc/self/uid_map 0 100000 1000000000 Also, this patch changes the security requirements for all sysctls which is unfortunately unacceptable.