| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210412042453.32168-1-Jonathon.Reinhart@gmail.com>
Date: Mon, 12 Apr 2021 00:24:51 -0400
From: Jonathon Reinhart <jonathon.reinhart@...il.com>
To: netdev@...r.kernel.org
Cc: Jonathon Reinhart <Jonathon.Reinhart@...il.com>,
Florian Westphal <fw@...len.de>,
Pablo Neira Ayuso <pablo@...filter.org>,
"David S. Miller" <davem@...emloft.net>
Subject: [PATCH net-next 0/2] Ensuring net sysctl isolation
This patchset is the result of an audit of /proc/sys/net to prove that
it is safe to be mouted read-write in a container when a net namespace
is in use. See [1].
The first commit adds code to detect sysctls which are not netns-safe,
and can "leak" changes to other net namespaces.
My manual audit found, and the above feature confirmed, that there are
two nf_conntrack sysctls which are in fact not netns-safe.
I considered sending the latter to netfilter-devel, but I think it's
better to have both together on net-next: Adding only the former causes
undesirable warnings in the kernel log.
[1]: https://github.com/opencontainers/runc/issues/2826
Jonathon Reinhart (2):
net: Ensure net namespace isolation of sysctls
netfilter: conntrack: Make global sysctls readonly in non-init netns
net/netfilter/nf_conntrack_standalone.c | 10 ++----
net/sysctl_net.c | 48 +++++++++++++++++++++++++
2 files changed, 50 insertions(+), 8 deletions(-)
--
2.20.1
Powered by blists - more mailing lists