| Message ID | 20211207202101.2457994-1-joannekoong@fb.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net-next] net: Enable unix sysctls to be configurable by non-init user namespaces | expand |
CC: Eric B On Tue, 7 Dec 2021 12:21:01 -0800 Joanne Koong wrote: > Currently, when a networking namespace is initialized, its unix sysctls > are exposed only if the user namespace that "owns" it is the init user > namespace. > > If there is a non-init user namespace that "owns" a networking > namespace (for example, in the case after we call clone() with both > CLONE_NEWUSER and CLONE_NEWNET set), the sysctls are hidden from view > and not configurable. > > This patch enables the unix networking sysctls (there is currently only > 1, "sysctl_max_dgram_qlen", which is used as the default > "sk_max_ack_backlog" value when a unix socket is created) to be exposed > to non-init user namespaces. > > This is safe because any changes made to these sysctls will be limited > in scope to the networking namespace the non-init user namespace "owns" > and has privileges over. > > Signed-off-by: Joanne Koong <joannekoong@fb.com> > --- > net/unix/sysctl_net_unix.c | 4 ---- > 1 file changed, 4 deletions(-) > > diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c > index c09bea89151b..01d44e2598e2 100644 > --- a/net/unix/sysctl_net_unix.c > +++ b/net/unix/sysctl_net_unix.c > @@ -30,10 +30,6 @@ int __net_init unix_sysctl_register(struct net *net) > if (table == NULL) > goto err_alloc; > > - /* Don't export sysctls to unprivileged users */ > - if (net->user_ns != &init_user_ns) > - table[0].procname = NULL; > - > table[0].data = &net->unx.sysctl_max_dgram_qlen; > net->unx.ctl = register_net_sysctl(net, "net/unix", table); > if (net->unx.ctl == NULL)
diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c index c09bea89151b..01d44e2598e2 100644 --- a/net/unix/sysctl_net_unix.c +++ b/net/unix/sysctl_net_unix.c @@ -30,10 +30,6 @@ int __net_init unix_sysctl_register(struct net *net) if (table == NULL) goto err_alloc; - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) - table[0].procname = NULL; - table[0].data = &net->unx.sysctl_max_dgram_qlen; net->unx.ctl = register_net_sysctl(net, "net/unix", table); if (net->unx.ctl == NULL)
Currently, when a networking namespace is initialized, its unix sysctls are exposed only if the user namespace that "owns" it is the init user namespace. If there is a non-init user namespace that "owns" a networking namespace (for example, in the case after we call clone() with both CLONE_NEWUSER and CLONE_NEWNET set), the sysctls are hidden from view and not configurable. This patch enables the unix networking sysctls (there is currently only 1, "sysctl_max_dgram_qlen", which is used as the default "sk_max_ack_backlog" value when a unix socket is created) to be exposed to non-init user namespaces. This is safe because any changes made to these sysctls will be limited in scope to the networking namespace the non-init user namespace "owns" and has privileges over. Signed-off-by: Joanne Koong <joannekoong@fb.com> --- net/unix/sysctl_net_unix.c | 4 ---- 1 file changed, 4 deletions(-)