[PATCH next] sysctl: expose all net/core sysctls inside netns

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH next] sysctl: expose all net/core sysctls inside netns
@ 2022-12-22 19:10 Mahesh Bandewar
  2022-12-22 20:16 ` Soheil Hassas Yeganeh
  2022-12-23  2:12 ` Jakub Kicinski
  0 siblings, 2 replies; 4+ messages in thread
From: Mahesh Bandewar @ 2022-12-22 19:10 UTC (permalink / raw)
  To: Netdev
  Cc: Mahesh Bandewar, Mahesh Bandewar, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Soheil Hassas Yeganeh

All were not visible to the non-priv users inside netns. However,
with 4ecb90090c84 ("sysctl: allow override of /proc/sys/net with
CAP_NET_ADMIN"), these vars are protected from getting modified.
A proc with capable(CAP_NET_ADMIN) can change the values so
not having them visible inside netns is just causing nuisance to
process that check certain values (e.g. net.core.somaxconn) and
see different behavior in root-netns vs. other-netns

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Mahesh Bandewar <maheshb@google.com>
---
 net/core/sysctl_net_core.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index 5b1ce656baa1..e7b98162c632 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -643,11 +643,6 @@ static __net_init int sysctl_core_net_init(struct net *net)
 
 		for (tmp = tbl; tmp->procname; tmp++)
 			tmp->data += (char *)net - (char *)&init_net;
-
-		/* Don't export any sysctls to unprivileged users */
-		if (net->user_ns != &init_user_ns) {
-			tbl[0].procname = NULL;
-		}
 	}
 
 	net->core.sysctl_hdr = register_net_sysctl(net, "net/core", tbl);
-- 
2.39.0.314.g84b9a713c41-goog

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH next] sysctl: expose all net/core sysctls inside netns
  2022-12-22 19:10 [PATCH next] sysctl: expose all net/core sysctls inside netns Mahesh Bandewar
@ 2022-12-22 20:16 ` Soheil Hassas Yeganeh
  2022-12-23  2:12 ` Jakub Kicinski
  1 sibling, 0 replies; 4+ messages in thread
From: Soheil Hassas Yeganeh @ 2022-12-22 20:16 UTC (permalink / raw)
  To: Mahesh Bandewar
  Cc: Netdev, Mahesh Bandewar, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni

On Thu, Dec 22, 2022 at 2:10 PM Mahesh Bandewar <maheshb@google.com> wrote:
>
> All were not visible to the non-priv users inside netns. However,
> with 4ecb90090c84 ("sysctl: allow override of /proc/sys/net with
> CAP_NET_ADMIN"), these vars are protected from getting modified.
> A proc with capable(CAP_NET_ADMIN) can change the values so
> not having them visible inside netns is just causing nuisance to
> process that check certain values (e.g. net.core.somaxconn) and
> see different behavior in root-netns vs. other-netns
>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: Soheil Hassas Yeganeh <soheil@google.com>
> Signed-off-by: Mahesh Bandewar <maheshb@google.com>

Acked-by: Soheil Hassas Yeganeh <soheil@google.com>

Thanks!

> ---
>  net/core/sysctl_net_core.c | 5 -----
>  1 file changed, 5 deletions(-)
>
> diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
> index 5b1ce656baa1..e7b98162c632 100644
> --- a/net/core/sysctl_net_core.c
> +++ b/net/core/sysctl_net_core.c
> @@ -643,11 +643,6 @@ static __net_init int sysctl_core_net_init(struct net *net)
>
>                 for (tmp = tbl; tmp->procname; tmp++)
>                         tmp->data += (char *)net - (char *)&init_net;
> -
> -               /* Don't export any sysctls to unprivileged users */
> -               if (net->user_ns != &init_user_ns) {
> -                       tbl[0].procname = NULL;
> -               }
>         }
>
>         net->core.sysctl_hdr = register_net_sysctl(net, "net/core", tbl);
> --
> 2.39.0.314.g84b9a713c41-goog

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH next] sysctl: expose all net/core sysctls inside netns
  2022-12-22 19:10 [PATCH next] sysctl: expose all net/core sysctls inside netns Mahesh Bandewar
  2022-12-22 20:16 ` Soheil Hassas Yeganeh
@ 2022-12-23  2:12 ` Jakub Kicinski
  2022-12-28 18:40   ` Mahesh Bandewar (महेश बंडेवार)
  1 sibling, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2022-12-23  2:12 UTC (permalink / raw)
  To: Mahesh Bandewar
  Cc: Netdev, Mahesh Bandewar, David S. Miller, Eric Dumazet,
	Paolo Abeni, Soheil Hassas Yeganeh

On Thu, 22 Dec 2022 11:10:05 -0800 Mahesh Bandewar wrote:
> All were not visible to the non-priv users inside netns. However,
> with 4ecb90090c84 ("sysctl: allow override of /proc/sys/net with
> CAP_NET_ADMIN"), these vars are protected from getting modified.
> A proc with capable(CAP_NET_ADMIN) can change the values so
> not having them visible inside netns is just causing nuisance to
> process that check certain values (e.g. net.core.somaxconn) and
> see different behavior in root-netns vs. other-netns

SG, but net-next is closed, please repost after New Year.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH next] sysctl: expose all net/core sysctls inside netns
  2022-12-23  2:12 ` Jakub Kicinski
@ 2022-12-28 18:40   ` Mahesh Bandewar (महेश बंडेवार)
  0 siblings, 0 replies; 4+ messages in thread
From: Mahesh Bandewar (महेश बंडेवार) @ 2022-12-28 18:40 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Netdev, Mahesh Bandewar, David S. Miller, Eric Dumazet,
	Paolo Abeni, Soheil Hassas Yeganeh

On Thu, Dec 22, 2022 at 6:12 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 22 Dec 2022 11:10:05 -0800 Mahesh Bandewar wrote:
> > All were not visible to the non-priv users inside netns. However,
> > with 4ecb90090c84 ("sysctl: allow override of /proc/sys/net with
> > CAP_NET_ADMIN"), these vars are protected from getting modified.
> > A proc with capable(CAP_NET_ADMIN) can change the values so
> > not having them visible inside netns is just causing nuisance to
> > process that check certain values (e.g. net.core.somaxconn) and
> > see different behavior in root-netns vs. other-netns
>
> SG, but net-next is closed, please repost after New Year.
My bad, thanks for the note. Happy holidays and will post it next year.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-12-28 18:41 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-22 19:10 [PATCH next] sysctl: expose all net/core sysctls inside netns Mahesh Bandewar
2022-12-22 20:16 ` Soheil Hassas Yeganeh
2022-12-23  2:12 ` Jakub Kicinski
2022-12-28 18:40   ` Mahesh Bandewar (महेश बंडेवार)

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.