| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20160922.013037.1974473377908826519.davem@davemloft.net>
Date: Thu, 22 Sep 2016 01:30:37 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: jann@...jh.net
Cc: kuznet@....inr.ac.ru, jmorris@...ei.org, yoshfuji@...ux-ipv6.org,
kaber@...sh.net, netdev@...r.kernel.org
Subject: Re: [PATCH] net: explicitly whitelist sysctls for unpriv namespaces
From: Jann Horn <jann@...jh.net>
Date: Sun, 18 Sep 2016 22:58:20 +0200
> There were two net sysctls that could be written from unprivileged net
> namespaces, but weren't actually namespaced.
>
> To fix the existing issues and prevent stuff this from happening again in
> the future, explicitly whitelist permitted sysctls.
>
> Note: The current whitelist is "allow everything that was previously
> accessible and that doesn't obviously modify global state".
>
> On my system, this patch just removes the write permissions for
> ipv4/netfilter/ip_conntrack_max, which would have been usable for a local
> DoS. With a different config, the ipv4/vs/debug_level sysctl would also be
> affected.
>
> Maximum impact of this seems to be local DoS, and it's a fairly large
> commit, so I'm sending this publicly directly.
>
> An alternative (and much smaller) fix would be to just change the
> permissions of the two files in question to be 0444 in non-privileged
> namespaces, but I believe that this solution is slightly less error-prone.
> If you think I should switch to the simple fix, let me know.
>
> Signed-off-by: Jann Horn <jann@...jh.net>
I think this is fine for net-next and will apply it there.
But for 'net' and 'stable', please also submit the simpler fix.
Thanks.
Powered by blists - more mailing lists