lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 22 Oct 2016 18:43:16 -0400 (EDT) From: David Miller <davem@...emloft.net> To: jann@...jh.net Cc: pablo@...filter.org, kuznet@....inr.ac.ru, jmorris@...ei.org, yoshfuji@...ux-ipv6.org, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org Subject: Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls From: Jann Horn <jann@...jh.net> Date: Sat, 22 Oct 2016 23:23:42 +0200 > On Thu, Oct 20, 2016 at 02:37:47PM -0400, David Miller wrote: >> From: Pablo Neira Ayuso <pablo@...filter.org> >> Date: Thu, 20 Oct 2016 20:22:24 +0200 >> >> > On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote: >> >> This prevents the modification of nf_conntrack_max in unprivileged network >> >> namespaces. For unprivileged network namespaces, ip_conntrack_max is kept >> >> as a readonly sysctl in order to minimize potential compatibility issues. >> >> >> >> This patch should apply cleanly to the net tree. >> > >> > For the record: This patch looks good to me, but this legacy >> > ip_conntrack sysctl code is now gone. >> > >> > I don't know what is the procedure to get this to -stable branches now >> > that this cannot be pushed upstream. >> >> In the commit message for the -stable submission simply say "Not >> applicable" in the upstream commit reference. Like: >> >> [ Upstream commit: Not applicable ] >> >> or something like that. > > Who should do that? Me, after getting a maintainer ack? Or the maintainer? When the maintainer submits a patch to -stable, that's what they add to the commit message.
Powered by blists - more mailing lists