From patchwork Fri Nov 16 13:03:10 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Eric W. Biederman" X-Patchwork-Id: 199581 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 8FF5D2C008D for ; Sat, 17 Nov 2012 00:07:12 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751823Ab2KPNHE (ORCPT ); Fri, 16 Nov 2012 08:07:04 -0500 Received: from out02.mta.xmission.com ([166.70.13.232]:38319 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751660Ab2KPNHB (ORCPT ); Fri, 16 Nov 2012 08:07:01 -0500 Received: from in02.mta.xmission.com ([166.70.13.52]) by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1TZLdN-0001YF-5J; Fri, 16 Nov 2012 06:07:01 -0700 Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.int.ebiederm.org) by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1TZLb1-0007nH-MN; Fri, 16 Nov 2012 06:04:38 -0700 From: "Eric W. Biederman" To: David Miller Cc: , Serge Hallyn , Linux Containers , "Eric W. Biederman" Date: Fri, 16 Nov 2012 05:03:10 -0800 Message-Id: <1353070992-5552-15-git-send-email-ebiederm@xmission.com> X-Mailer: git-send-email 1.7.5.4 In-Reply-To: <1353070992-5552-1-git-send-email-ebiederm@xmission.com> References: <87d2zd8zwn.fsf@xmission.com> <1353070992-5552-1-git-send-email-ebiederm@xmission.com> X-XM-AID: U2FsdGVkX1/bZu2nuE1uodz0+Bk4WwH1gPDYwK4rmtw= X-SA-Exim-Connect-IP: 98.207.153.68 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sa06.xmission.com X-Spam-Level: X-Spam-Status: No, score=-0.9 required=8.0 tests=ALL_TRUSTED,BAYES_20, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01,XMSubLong autolearn=disabled version=3.3.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.1 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: T_TM2_M_HEADER_IN_MSG * -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% * [score: 0.0675] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 X-Spam-Combo: ;David Miller X-Spam-Relay-Country: Subject: [PATCH net-next 15/17] net: Enable some sysctls that are safe for the userns root X-SA-Exim-Version: 4.2.1 (built Sun, 08 Jan 2012 03:05:19 +0000) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: "Eric W. Biederman" - Enable the per device ipv4 sysctls: net/ipv4/conf//forwarding net/ipv4/conf//mc_forwarding net/ipv4/conf//accept_redirects net/ipv4/conf//secure_redirects net/ipv4/conf//shared_media net/ipv4/conf//rp_filter net/ipv4/conf//send_redirects net/ipv4/conf//accept_source_route net/ipv4/conf//accept_local net/ipv4/conf//src_valid_mark net/ipv4/conf//proxy_arp net/ipv4/conf//medium_id net/ipv4/conf//bootp_relay net/ipv4/conf//log_martians net/ipv4/conf//tag net/ipv4/conf//arp_filter net/ipv4/conf//arp_announce net/ipv4/conf//arp_ignore net/ipv4/conf//arp_accept net/ipv4/conf//arp_notify net/ipv4/conf//proxy_arp_pvlan net/ipv4/conf//disable_xfrm net/ipv4/conf//disable_policy net/ipv4/conf//force_igmp_version net/ipv4/conf//promote_secondaries net/ipv4/conf//route_localnet - Enable the global ipv4 sysctl: net/ipv4/ip_forward - Enable the per device ipv6 sysctls: net/ipv6/conf//forwarding net/ipv6/conf//hop_limit net/ipv6/conf//mtu net/ipv6/conf//accept_ra net/ipv6/conf//accept_redirects net/ipv6/conf//autoconf net/ipv6/conf//dad_transmits net/ipv6/conf//router_solicitations net/ipv6/conf//router_solicitation_interval net/ipv6/conf//router_solicitation_delay net/ipv6/conf//force_mld_version net/ipv6/conf//use_tempaddr net/ipv6/conf//temp_valid_lft net/ipv6/conf//temp_prefered_lft net/ipv6/conf//regen_max_retry net/ipv6/conf//max_desync_factor net/ipv6/conf//max_addresses net/ipv6/conf//accept_ra_defrtr net/ipv6/conf//accept_ra_pinfo net/ipv6/conf//accept_ra_rtr_pref net/ipv6/conf//router_probe_interval net/ipv6/conf//accept_ra_rt_info_max_plen net/ipv6/conf//proxy_ndp net/ipv6/conf//accept_source_route net/ipv6/conf//optimistic_dad net/ipv6/conf//mc_forwarding net/ipv6/conf//disable_ipv6 net/ipv6/conf//accept_dad net/ipv6/conf//force_tllao - Enable the global ipv6 sysctls: net/ipv6/bindv6only net/ipv6/icmp/ratelimit Signed-off-by: "Eric W. Biederman" --- net/ipv4/devinet.c | 8 -------- net/ipv6/addrconf.c | 4 ---- net/ipv6/icmp.c | 7 +------ net/ipv6/sysctl_net_ipv6.c | 4 ---- 4 files changed, 1 insertions(+), 22 deletions(-) diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index f75f4f6..446b1b9 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -1643,10 +1643,6 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name, t->devinet_vars[i].extra2 = net; } - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) - t->devinet_vars[0].procname = NULL; - snprintf(path, sizeof(path), "net/ipv4/conf/%s", dev_name); t->sysctl_header = register_net_sysctl(net, path, t->devinet_vars); @@ -1732,10 +1728,6 @@ static __net_init int devinet_init_net(struct net *net) tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1]; tbl[0].extra1 = all; tbl[0].extra2 = net; - - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) - tbl[0].procname = NULL; #endif } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index b8e0a62..5f1967b 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -4588,10 +4588,6 @@ static int __addrconf_sysctl_register(struct net *net, char *dev_name, t->addrconf_vars[i].extra2 = net; } - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) - t->addrconf_vars[0].procname = NULL; - snprintf(path, sizeof(path), "net/ipv6/conf/%s", dev_name); t->sysctl_header = register_net_sysctl(net, path, t->addrconf_vars); diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index db9df8a..24d69db 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -967,14 +967,9 @@ struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net) sizeof(ipv6_icmp_table_template), GFP_KERNEL); - if (table) { + if (table) table[0].data = &net->ipv6.sysctl.icmpv6_time; - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) - table[0].procname = NULL; - } - return table; } #endif diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c index b06fd07..e85c48b 100644 --- a/net/ipv6/sysctl_net_ipv6.c +++ b/net/ipv6/sysctl_net_ipv6.c @@ -52,10 +52,6 @@ static int __net_init ipv6_sysctl_net_init(struct net *net) goto out; ipv6_table[0].data = &net->ipv6.sysctl.bindv6only; - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) - ipv6_table[0].procname = NULL; - ipv6_route_table = ipv6_route_sysctl_init(net); if (!ipv6_route_table) goto out_ipv6_table;