diff mbox series

[net-next] net: Enable neighbor sysctls that is save for userns root

Message ID 20211208085844.405570-1-xu.xin16@zte.com.cn (mailing list archive)
State Accepted
Commit 8c8b7aa7fb0cf9e1cc9204e6bc6e1353b8393502
Delegated to: Netdev Maintainers
Headers show
Series [net-next] net: Enable neighbor sysctls that is save for userns root | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 4 this patch: 4
netdev/cc_maintainers success CCed 4 of 4 maintainers
netdev/build_clang success Errors and warnings before: 20 this patch: 20
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 6 this patch: 6
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 10 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

CGEL Dec. 8, 2021, 8:58 a.m. UTC
From: xu xin <xu.xin16@zte.com.cn>

Inside netns owned by non-init userns, sysctls about ARP/neighbor is
currently not visible and configurable.

For the attributes these sysctls correspond to, any modifications make
effects on the performance of networking(ARP, especilly) only in the
scope of netns, which does not affect other netns.

Actually, some tools via netlink can modify these attribute. iproute2 is
an example. see as follows:

$ unshare -ur -n
$ cat /proc/sys/net/ipv4/neigh/lo/retrans_time
cat: can't open '/proc/sys/net/ipv4/neigh/lo/retrans_time': No such file
or directory
$ ip ntable show dev lo
inet arp_cache
    dev lo
    refcnt 1 reachable 19494 base_reachable 30000 retrans 1000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000

inet6 ndisc_cache
    dev lo
    refcnt 1 reachable 42394 base_reachable 30000 retrans 1000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0
$ ip ntable change name arp_cache dev <if> retrans 2000
inet arp_cache
    dev lo
    refcnt 1 reachable 22917 base_reachable 30000 retrans 2000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000

inet6 ndisc_cache
    dev lo
    refcnt 1 reachable 35524 base_reachable 30000 retrans 1000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0

Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: xu xin <xu.xin16@zte.com.cn>
---
 net/core/neighbour.c | 4 ----
 1 file changed, 4 deletions(-)

Comments

Joanne Koong Dec. 10, 2021, 7:38 p.m. UTC | #1
On 12/8/21 12:58 AM, cgel.zte@gmail.com wrote:

> From: xu xin <xu.xin16@zte.com.cn>
>
> Inside netns owned by non-init userns, sysctls about ARP/neighbor is
> currently not visible and configurable.
>
> For the attributes these sysctls correspond to, any modifications make
> effects on the performance of networking(ARP, especilly) only in the
> scope of netns, which does not affect other netns.
>
> Actually, some tools via netlink can modify these attribute. iproute2 is
> an example. see as follows:
>
> $ unshare -ur -n
> $ cat /proc/sys/net/ipv4/neigh/lo/retrans_time
> cat: can't open '/proc/sys/net/ipv4/neigh/lo/retrans_time': No such file
> or directory
> $ ip ntable show dev lo
> inet arp_cache
>      dev lo
>      refcnt 1 reachable 19494 base_reachable 30000 retrans 1000
>      gc_stale 60000 delay_probe 5000 queue 101
>      app_probes 0 ucast_probes 3 mcast_probes 3
>      anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000
>
> inet6 ndisc_cache
>      dev lo
>      refcnt 1 reachable 42394 base_reachable 30000 retrans 1000
>      gc_stale 60000 delay_probe 5000 queue 101
>      app_probes 0 ucast_probes 3 mcast_probes 3
>      anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0
> $ ip ntable change name arp_cache dev <if> retrans 2000
> inet arp_cache
>      dev lo
>      refcnt 1 reachable 22917 base_reachable 30000 retrans 2000
>      gc_stale 60000 delay_probe 5000 queue 101
>      app_probes 0 ucast_probes 3 mcast_probes 3
>      anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000
>
> inet6 ndisc_cache
>      dev lo
>      refcnt 1 reachable 35524 base_reachable 30000 retrans 1000
>      gc_stale 60000 delay_probe 5000 queue 101
>      app_probes 0 ucast_probes 3 mcast_probes 3
>      anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0
>
> Reported-by: Zeal Robot <zealci@zte.com.cn>
> Signed-off-by: xu xin <xu.xin16@zte.com.cn>
> ---
This LGTM. The neighbour sysctls are registered to the net namespace
associated with the neigh_parms. Any changes made to a net namespace
will be locally scoped to that net namespace (changes won't affect any other
net namespace).

There is also no possibility of a non-privileged user namespace messing 
up the
net namespace sysctls it shares with its parent user namespace. When a 
new user
namespace is created without unsharing the network namespace (eg calling
clone()  with CLONE_NEWUSER), the new user namespace shares its
parent's network namespace. Write access is protected by the mode set
in the sysctl ctl_table (and enforced by procfs). Here in the case of 
the neighbour
sysctls, 0644 is set for every sysctl; only the user owner has write access.


Acked-by: Joanne Koong <joannekoong@fb.com>
>   net/core/neighbour.c | 4 ----
>   1 file changed, 4 deletions(-)
>
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index 0cdd4d9ad942..44d90cc341ea 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -3771,10 +3771,6 @@ int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p,
>   			neigh_proc_base_reachable_time;
>   	}
>   
> -	/* Don't export sysctls to unprivileged users */
> -	if (neigh_parms_net(p)->user_ns != &init_user_ns)
> -		t->neigh_vars[0].procname = NULL;
> -
>   	switch (neigh_parms_family(p)) {
>   	case AF_INET:
>   	      p_name = "ipv4";
patchwork-bot+netdevbpf@kernel.org Dec. 12, 2021, 12:40 p.m. UTC | #2
Hello:

This patch was applied to netdev/net-next.git (master)
by David S. Miller <davem@davemloft.net>:

On Wed,  8 Dec 2021 08:58:44 +0000 you wrote:
> From: xu xin <xu.xin16@zte.com.cn>
> 
> Inside netns owned by non-init userns, sysctls about ARP/neighbor is
> currently not visible and configurable.
> 
> For the attributes these sysctls correspond to, any modifications make
> effects on the performance of networking(ARP, especilly) only in the
> scope of netns, which does not affect other netns.
> 
> [...]

Here is the summary with links:
  - [net-next] net: Enable neighbor sysctls that is save for userns root
    https://git.kernel.org/netdev/net-next/c/8c8b7aa7fb0c

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 0cdd4d9ad942..44d90cc341ea 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -3771,10 +3771,6 @@  int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p,
 			neigh_proc_base_reachable_time;
 	}
 
-	/* Don't export sysctls to unprivileged users */
-	if (neigh_parms_net(p)->user_ns != &init_user_ns)
-		t->neigh_vars[0].procname = NULL;
-
 	switch (neigh_parms_family(p)) {
 	case AF_INET:
 	      p_name = "ipv4";