Commit c027aab4 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by David S. Miller

net: Enable some sysctls that are safe for the userns root

- Enable the per device ipv4 sysctls:
   net/ipv4/conf/<if>/forwarding
   net/ipv4/conf/<if>/mc_forwarding
   net/ipv4/conf/<if>/accept_redirects
   net/ipv4/conf/<if>/secure_redirects
   net/ipv4/conf/<if>/shared_media
   net/ipv4/conf/<if>/rp_filter
   net/ipv4/conf/<if>/send_redirects
   net/ipv4/conf/<if>/accept_source_route
   net/ipv4/conf/<if>/accept_local
   net/ipv4/conf/<if>/src_valid_mark
   net/ipv4/conf/<if>/proxy_arp
   net/ipv4/conf/<if>/medium_id
   net/ipv4/conf/<if>/bootp_relay
   net/ipv4/conf/<if>/log_martians
   net/ipv4/conf/<if>/tag
   net/ipv4/conf/<if>/arp_filter
   net/ipv4/conf/<if>/arp_announce
   net/ipv4/conf/<if>/arp_ignore
   net/ipv4/conf/<if>/arp_accept
   net/ipv4/conf/<if>/arp_notify
   net/ipv4/conf/<if>/proxy_arp_pvlan
   net/ipv4/conf/<if>/disable_xfrm
   net/ipv4/conf/<if>/disable_policy
   net/ipv4/conf/<if>/force_igmp_version
   net/ipv4/conf/<if>/promote_secondaries
   net/ipv4/conf/<if>/route_localnet

- Enable the global ipv4 sysctl:
   net/ipv4/ip_forward

- Enable the per device ipv6 sysctls:
   net/ipv6/conf/<if>/forwarding
   net/ipv6/conf/<if>/hop_limit
   net/ipv6/conf/<if>/mtu
   net/ipv6/conf/<if>/accept_ra
   net/ipv6/conf/<if>/accept_redirects
   net/ipv6/conf/<if>/autoconf
   net/ipv6/conf/<if>/dad_transmits
   net/ipv6/conf/<if>/router_solicitations
   net/ipv6/conf/<if>/router_solicitation_interval
   net/ipv6/conf/<if>/router_solicitation_delay
   net/ipv6/conf/<if>/force_mld_version
   net/ipv6/conf/<if>/use_tempaddr
   net/ipv6/conf/<if>/temp_valid_lft
   net/ipv6/conf/<if>/temp_prefered_lft
   net/ipv6/conf/<if>/regen_max_retry
   net/ipv6/conf/<if>/max_desync_factor
   net/ipv6/conf/<if>/max_addresses
   net/ipv6/conf/<if>/accept_ra_defrtr
   net/ipv6/conf/<if>/accept_ra_pinfo
   net/ipv6/conf/<if>/accept_ra_rtr_pref
   net/ipv6/conf/<if>/router_probe_interval
   net/ipv6/conf/<if>/accept_ra_rt_info_max_plen
   net/ipv6/conf/<if>/proxy_ndp
   net/ipv6/conf/<if>/accept_source_route
   net/ipv6/conf/<if>/optimistic_dad
   net/ipv6/conf/<if>/mc_forwarding
   net/ipv6/conf/<if>/disable_ipv6
   net/ipv6/conf/<if>/accept_dad
   net/ipv6/conf/<if>/force_tllao

- Enable the global ipv6 sysctls:
   net/ipv6/bindv6only
   net/ipv6/icmp/ratelimit
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 276996fd
...@@ -1821,10 +1821,6 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name, ...@@ -1821,10 +1821,6 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name,
t->devinet_vars[i].extra2 = net; t->devinet_vars[i].extra2 = net;
} }
/* Don't export sysctls to unprivileged users */
if (net->user_ns != &init_user_ns)
t->devinet_vars[0].procname = NULL;
snprintf(path, sizeof(path), "net/ipv4/conf/%s", dev_name); snprintf(path, sizeof(path), "net/ipv4/conf/%s", dev_name);
t->sysctl_header = register_net_sysctl(net, path, t->devinet_vars); t->sysctl_header = register_net_sysctl(net, path, t->devinet_vars);
...@@ -1910,10 +1906,6 @@ static __net_init int devinet_init_net(struct net *net) ...@@ -1910,10 +1906,6 @@ static __net_init int devinet_init_net(struct net *net)
tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1]; tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1];
tbl[0].extra1 = all; tbl[0].extra1 = all;
tbl[0].extra2 = net; tbl[0].extra2 = net;
/* Don't export sysctls to unprivileged users */
if (net->user_ns != &init_user_ns)
tbl[0].procname = NULL;
#endif #endif
} }
......
...@@ -4741,10 +4741,6 @@ static int __addrconf_sysctl_register(struct net *net, char *dev_name, ...@@ -4741,10 +4741,6 @@ static int __addrconf_sysctl_register(struct net *net, char *dev_name,
t->addrconf_vars[i].extra2 = net; t->addrconf_vars[i].extra2 = net;
} }
/* Don't export sysctls to unprivileged users */
if (net->user_ns != &init_user_ns)
t->addrconf_vars[0].procname = NULL;
snprintf(path, sizeof(path), "net/ipv6/conf/%s", dev_name); snprintf(path, sizeof(path), "net/ipv6/conf/%s", dev_name);
t->sysctl_header = register_net_sysctl(net, path, t->addrconf_vars); t->sysctl_header = register_net_sysctl(net, path, t->addrconf_vars);
......
...@@ -967,14 +967,9 @@ struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net) ...@@ -967,14 +967,9 @@ struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
sizeof(ipv6_icmp_table_template), sizeof(ipv6_icmp_table_template),
GFP_KERNEL); GFP_KERNEL);
if (table) { if (table)
table[0].data = &net->ipv6.sysctl.icmpv6_time; table[0].data = &net->ipv6.sysctl.icmpv6_time;
/* Don't export sysctls to unprivileged users */
if (net->user_ns != &init_user_ns)
table[0].procname = NULL;
}
return table; return table;
} }
#endif #endif
......
...@@ -52,10 +52,6 @@ static int __net_init ipv6_sysctl_net_init(struct net *net) ...@@ -52,10 +52,6 @@ static int __net_init ipv6_sysctl_net_init(struct net *net)
goto out; goto out;
ipv6_table[0].data = &net->ipv6.sysctl.bindv6only; ipv6_table[0].data = &net->ipv6.sysctl.bindv6only;
/* Don't export sysctls to unprivileged users */
if (net->user_ns != &init_user_ns)
ipv6_table[0].procname = NULL;
ipv6_route_table = ipv6_route_sysctl_init(net); ipv6_route_table = ipv6_route_sysctl_init(net);
if (!ipv6_route_table) if (!ipv6_route_table)
goto out_ipv6_table; goto out_ipv6_table;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment