Message ID | 20190906151958.21340-1-christian.brauner@ubuntu.com |
---|---|
State | New |
Headers | show |
Series | [v1,SRU,Disco] ipv4: enable route flushing in network namespaces | expand |
On 2019-09-06 17:19:58, Christian Brauner wrote: > BugLink: https://bugs.launchpad.net/bugs/1836912 > > Tools such as vpnc try to flush routes when run inside network > namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This > currently does not work because flush is not enabled in non-initial > network namespaces. > Since routes are per network namespace it is safe to enable > /proc/sys/net/ipv4/route/flush in there. > > Link: https://github.com/lxc/lxd/issues/4257 > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 5cdda5f1d6adde02da591ca2196f20289977dc56) This should be safe to SRU. Acked-by: Tyler Hicks <tyhicks@canonical.com> Tyler > --- > net/ipv4/route.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/net/ipv4/route.c b/net/ipv4/route.c > index 3c89ca325947..4b1ec9710a32 100644 > --- a/net/ipv4/route.c > +++ b/net/ipv4/route.c > @@ -3077,9 +3077,11 @@ static struct ctl_table ipv4_route_table[] = { > { } > }; > > +static const char ipv4_route_flush_procname[] = "flush"; > + > static struct ctl_table ipv4_route_flush_table[] = { > { > - .procname = "flush", > + .procname = ipv4_route_flush_procname, > .maxlen = sizeof(int), > .mode = 0200, > .proc_handler = ipv4_sysctl_rtcache_flush, > @@ -3097,9 +3099,11 @@ static __net_init int sysctl_route_net_init(struct net *net) > if (!tbl) > goto err_dup; > > - /* Don't export sysctls to unprivileged users */ > - if (net->user_ns != &init_user_ns) > - tbl[0].procname = NULL; > + /* Don't export non-whitelisted sysctls to unprivileged users */ > + if (net->user_ns != &init_user_ns) { > + if (tbl[0].procname != ipv4_route_flush_procname) > + tbl[0].procname = NULL; > + } > } > tbl[0].extra1 = net; > > -- > 2.23.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 2019-09-06 17:19:58, Christian Brauner wrote: > BugLink: https://bugs.launchpad.net/bugs/1836912 > > Tools such as vpnc try to flush routes when run inside network > namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This > currently does not work because flush is not enabled in non-initial > network namespaces. > Since routes are per network namespace it is safe to enable > /proc/sys/net/ipv4/route/flush in there. > > Link: https://github.com/lxc/lxd/issues/4257 > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 5cdda5f1d6adde02da591ca2196f20289977dc56) smb pointed out in another thread that the following line needs to be injected here when applying the patch to the Disco kernel: Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Christian, please confirm that you are ok with the stable kernel team inserting your S-O-B (saving you from needing to resubmit the patch). Tyler > --- > net/ipv4/route.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/net/ipv4/route.c b/net/ipv4/route.c > index 3c89ca325947..4b1ec9710a32 100644 > --- a/net/ipv4/route.c > +++ b/net/ipv4/route.c > @@ -3077,9 +3077,11 @@ static struct ctl_table ipv4_route_table[] = { > { } > }; > > +static const char ipv4_route_flush_procname[] = "flush"; > + > static struct ctl_table ipv4_route_flush_table[] = { > { > - .procname = "flush", > + .procname = ipv4_route_flush_procname, > .maxlen = sizeof(int), > .mode = 0200, > .proc_handler = ipv4_sysctl_rtcache_flush, > @@ -3097,9 +3099,11 @@ static __net_init int sysctl_route_net_init(struct net *net) > if (!tbl) > goto err_dup; > > - /* Don't export sysctls to unprivileged users */ > - if (net->user_ns != &init_user_ns) > - tbl[0].procname = NULL; > + /* Don't export non-whitelisted sysctls to unprivileged users */ > + if (net->user_ns != &init_user_ns) { > + if (tbl[0].procname != ipv4_route_flush_procname) > + tbl[0].procname = NULL; > + } > } > tbl[0].extra1 = net; > > -- > 2.23.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On Wed, Sep 25, 2019 at 08:41:51AM -0500, Tyler Hicks wrote: > On 2019-09-06 17:19:58, Christian Brauner wrote: > > BugLink: https://bugs.launchpad.net/bugs/1836912 > > > > Tools such as vpnc try to flush routes when run inside network > > namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This > > currently does not work because flush is not enabled in non-initial > > network namespaces. > > Since routes are per network namespace it is safe to enable > > /proc/sys/net/ipv4/route/flush in there. > > > > Link: https://github.com/lxc/lxd/issues/4257 > > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> > > Signed-off-by: David S. Miller <davem@davemloft.net> > > (cherry picked from commit 5cdda5f1d6adde02da591ca2196f20289977dc56) > > smb pointed out in another thread that the following line needs to be > injected here when applying the patch to the Disco kernel: > > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> > > Christian, please confirm that you are ok with the stable kernel team > inserting your S-O-B (saving you from needing to resubmit the patch). That's of course fine with me! Christian
On 06.09.19 17:19, Christian Brauner wrote: > BugLink: https://bugs.launchpad.net/bugs/1836912 > > Tools such as vpnc try to flush routes when run inside network > namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This > currently does not work because flush is not enabled in non-initial > network namespaces. > Since routes are per network namespace it is safe to enable > /proc/sys/net/ipv4/route/flush in there. > > Link: https://github.com/lxc/lxd/issues/4257 > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 5cdda5f1d6adde02da591ca2196f20289977dc56) Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > net/ipv4/route.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/net/ipv4/route.c b/net/ipv4/route.c > index 3c89ca325947..4b1ec9710a32 100644 > --- a/net/ipv4/route.c > +++ b/net/ipv4/route.c > @@ -3077,9 +3077,11 @@ static struct ctl_table ipv4_route_table[] = { > { } > }; > > +static const char ipv4_route_flush_procname[] = "flush"; > + > static struct ctl_table ipv4_route_flush_table[] = { > { > - .procname = "flush", > + .procname = ipv4_route_flush_procname, > .maxlen = sizeof(int), > .mode = 0200, > .proc_handler = ipv4_sysctl_rtcache_flush, > @@ -3097,9 +3099,11 @@ static __net_init int sysctl_route_net_init(struct net *net) > if (!tbl) > goto err_dup; > > - /* Don't export sysctls to unprivileged users */ > - if (net->user_ns != &init_user_ns) > - tbl[0].procname = NULL; > + /* Don't export non-whitelisted sysctls to unprivileged users */ > + if (net->user_ns != &init_user_ns) { > + if (tbl[0].procname != ipv4_route_flush_procname) > + tbl[0].procname = NULL; > + } > } > tbl[0].extra1 = net; > >
On 06.09.19 17:19, Christian Brauner wrote: > BugLink: https://bugs.launchpad.net/bugs/1836912 > > Tools such as vpnc try to flush routes when run inside network > namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This > currently does not work because flush is not enabled in non-initial > network namespaces. > Since routes are per network namespace it is safe to enable > /proc/sys/net/ipv4/route/flush in there. > > Link: https://github.com/lxc/lxd/issues/4257 > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 5cdda5f1d6adde02da591ca2196f20289977dc56) > --- > net/ipv4/route.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/net/ipv4/route.c b/net/ipv4/route.c > index 3c89ca325947..4b1ec9710a32 100644 > --- a/net/ipv4/route.c > +++ b/net/ipv4/route.c > @@ -3077,9 +3077,11 @@ static struct ctl_table ipv4_route_table[] = { > { } > }; > > +static const char ipv4_route_flush_procname[] = "flush"; > + > static struct ctl_table ipv4_route_flush_table[] = { > { > - .procname = "flush", > + .procname = ipv4_route_flush_procname, > .maxlen = sizeof(int), > .mode = 0200, > .proc_handler = ipv4_sysctl_rtcache_flush, > @@ -3097,9 +3099,11 @@ static __net_init int sysctl_route_net_init(struct net *net) > if (!tbl) > goto err_dup; > > - /* Don't export sysctls to unprivileged users */ > - if (net->user_ns != &init_user_ns) > - tbl[0].procname = NULL; > + /* Don't export non-whitelisted sysctls to unprivileged users */ > + if (net->user_ns != &init_user_ns) { > + if (tbl[0].procname != ipv4_route_flush_procname) > + tbl[0].procname = NULL; > + } > } > tbl[0].extra1 = net; > > Applied to disco/master-next branch. Thanks, Kleber
diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 3c89ca325947..4b1ec9710a32 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -3077,9 +3077,11 @@ static struct ctl_table ipv4_route_table[] = { { } }; +static const char ipv4_route_flush_procname[] = "flush"; + static struct ctl_table ipv4_route_flush_table[] = { { - .procname = "flush", + .procname = ipv4_route_flush_procname, .maxlen = sizeof(int), .mode = 0200, .proc_handler = ipv4_sysctl_rtcache_flush, @@ -3097,9 +3099,11 @@ static __net_init int sysctl_route_net_init(struct net *net) if (!tbl) goto err_dup; - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) - tbl[0].procname = NULL; + /* Don't export non-whitelisted sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) { + if (tbl[0].procname != ipv4_route_flush_procname) + tbl[0].procname = NULL; + } } tbl[0].extra1 = net;