From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932848AbdJaSpg (ORCPT ); Tue, 31 Oct 2017 14:45:36 -0400 Received: from out02.mta.xmission.com ([166.70.13.232]:54736 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932756AbdJaSpZ (ORCPT ); Tue, 31 Oct 2017 14:45:25 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Rob Landley Cc: "linux-kernel\@vger.kernel.org" , davem@davemloft.net, kuznet@ms2.inr.ac.ru, xiyou.wangcong@gmail.com, yoshfuji@linux-ipv6.org, segoon@openwall.com, References: <29f9ee1d-7ad4-b4df-7202-35c66893cc16@landley.net> Date: Tue, 31 Oct 2017 13:44:59 -0500 In-Reply-To: <29f9ee1d-7ad4-b4df-7202-35c66893cc16@landley.net> (Rob Landley's message of "Mon, 30 Oct 2017 22:39:25 -0500") Message-ID: <8760avupg4.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1e9bX7-0006WQ-VU;;;mid=<8760avupg4.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=174.19.78.123;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18CmBReS1UdBfAVVirJAU73yRyUjb/byuI= X-SA-Exim-Connect-IP: 174.19.78.123 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.7 XMSubLong Long Subject * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa02 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_03 6+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa02 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Rob Landley X-Spam-Relay-Country: X-Spam-Timing: total 4982 ms - load_scoreonly_sql: 0.25 (0.0%), signal_user_changed: 5 (0.1%), b_tie_ro: 3.2 (0.1%), parse: 1.81 (0.0%), extract_message_metadata: 31 (0.6%), get_uri_detail_list: 3.1 (0.1%), tests_pri_-1000: 8 (0.2%), tests_pri_-950: 3.4 (0.1%), tests_pri_-900: 2.2 (0.0%), tests_pri_-400: 38 (0.8%), check_bayes: 35 (0.7%), b_tokenize: 12 (0.2%), b_tok_get_all: 10 (0.2%), b_comp_prob: 4.9 (0.1%), b_tok_touch_all: 4.0 (0.1%), b_finish: 0.92 (0.0%), tests_pri_0: 556 (11.2%), check_dkim_signature: 1.87 (0.0%), check_dkim_adsp: 83 (1.7%), tests_pri_500: 4329 (86.9%), poll_dns_idle: 4301 (86.3%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets. X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Rob Landley writes: > From: Rob Landley > > See message from the Android "native tools and libraries team" lead > (I.E. the maintainer of bionic, adb, toolbox, etc) at > http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html Sigh. The list has no https access so it is unreachable here, and even if it were I would not be able to verify that was not some spoofed or someone was not hacking the contents of the list archive in flight. As for the patch itself going from no group is allowed to reate ping sockets by default to everyone may create ping sockets by default seems potentially dangerous. Why in the world would this be safe? Why would this be wise? Eric > Signed-off-by: Rob Landley > --- > > net/ipv4/af_inet.c | 8 ++------ > 1 file changed, 2 insertions(+), 6 deletions(-) > > diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c > index e31108e..5b39a96 100644 > --- a/net/ipv4/af_inet.c > +++ b/net/ipv4/af_inet.c > @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net) > net->ipv4.ip_local_ports.range[1] = 60999; > > seqlock_init(&net->ipv4.ping_group_range.lock); > - /* > - * Sane defaults - nobody may create ping sockets. > - * Boot scripts should set this to distro-specific group. > - */ > - net->ipv4.ping_group_range.range[0] = make_kgid(&init_user_ns, 1); > - net->ipv4.ping_group_range.range[1] = make_kgid(&init_user_ns, 0); > + net->ipv4.ping_group_range.range[0] = make_kgid(&init_user_ns, 0); > + net->ipv4.ping_group_range.range[1] = make_kgid(&init_user_ns, 2147483647); > > /* Default values for sysctl-controlled parameters. > * We set them here, in case sysctl is not compiled.