lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Dec 2018 20:32:39 -0800 From: xiangxia.m.yue@...il.com To: davem@...emloft.net, xiyou.wangcong@...il.com Cc: netdev@...r.kernel.org, Tonghao Zhang <xiangxia.m.yue@...il.com> Subject: [PATCH net-next v2] net: ipv4: allocate ipv4_devconf memory for init_net From: Tonghao Zhang <xiangxia.m.yue@...il.com> The devconf setting on the init_net will affect other namespace when them created. For example: $ cat /proc/sys/net/ipv4/conf/all/rp_filter 0 $ echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter $ cat /proc/sys/net/ipv4/conf/all/rp_filter 2 $ ip netns add ns100 $ ip netns exec ns100 bash $ cat /proc/sys/net/ipv4/conf/all/rp_filter 2 The value of rp_filter in the ns100, should be 0 as default, but it is 2 same as _init_net_. In some case, there are many containers, on host, where running the different type containers and applications. We don't know what network configuration user will set. The new containers don't inherit our host configuration. * host _init_net_ may be used as a complex network. (the rp_filter, arp_ignore and arp_announce may be used.) but containers use them as default. Host network configuration should not affect containers. * containers and host network configuration are complete isolation. To fix it and init devconf to default value, we allocate memory for every namespace(include init_net), this memory will be used to store themself setting data and we also allocate memory to register sys_ctl tables. IPv6 does that in the same way. Signed-off-by: Tonghao Zhang <xiangxia.m.yue@...il.com> --- v1->v2: add more commit info. --- net/ipv4/devinet.c | 40 ++++++++++++++++------------------------ 1 file changed, 16 insertions(+), 24 deletions(-) diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index 5b9b6d4..2edf0f8 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -2555,33 +2555,28 @@ static __net_init int devinet_init_net(struct net *net) int err; struct ipv4_devconf *all, *dflt; #ifdef CONFIG_SYSCTL - struct ctl_table *tbl = ctl_forward_entry; + struct ctl_table *tbl; struct ctl_table_header *forw_hdr; #endif err = -ENOMEM; - all = &ipv4_devconf; - dflt = &ipv4_devconf_dflt; - - if (!net_eq(net, &init_net)) { - all = kmemdup(all, sizeof(ipv4_devconf), GFP_KERNEL); - if (!all) - goto err_alloc_all; + all = kmemdup(&ipv4_devconf, sizeof(ipv4_devconf), GFP_KERNEL); + if (!all) + goto err_alloc_all; - dflt = kmemdup(dflt, sizeof(ipv4_devconf_dflt), GFP_KERNEL); - if (!dflt) - goto err_alloc_dflt; + dflt = kmemdup(&ipv4_devconf_dflt, sizeof(ipv4_devconf_dflt), GFP_KERNEL); + if (!dflt) + goto err_alloc_dflt; #ifdef CONFIG_SYSCTL - tbl = kmemdup(tbl, sizeof(ctl_forward_entry), GFP_KERNEL); - if (!tbl) - goto err_alloc_ctl; + tbl = kmemdup(ctl_forward_entry, sizeof(ctl_forward_entry), GFP_KERNEL); + if (!tbl) + goto err_alloc_ctl; - tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1]; - tbl[0].extra1 = all; - tbl[0].extra2 = net; + tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1]; + tbl[0].extra1 = all; + tbl[0].extra2 = net; #endif - } #ifdef CONFIG_SYSCTL err = __devinet_sysctl_register(net, "all", NETCONFA_IFINDEX_ALL, all); @@ -2610,15 +2605,12 @@ static __net_init int devinet_init_net(struct net *net) err_reg_dflt: __devinet_sysctl_unregister(net, all, NETCONFA_IFINDEX_ALL); err_reg_all: - if (tbl != ctl_forward_entry) - kfree(tbl); + kfree(tbl); err_alloc_ctl: #endif - if (dflt != &ipv4_devconf_dflt) - kfree(dflt); + kfree(dflt); err_alloc_dflt: - if (all != &ipv4_devconf) - kfree(all); + kfree(all); err_alloc_all: return err; } -- 1.8.3.1
Powered by blists - more mailing lists