lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1A4FB0E6-C840-4A09-B067-9A9F9B9565F3@yandex-team.ru>
Date:   Thu, 30 Sep 2021 11:44:46 +0300
From:   "Alexander Al. Kuznetsov" <wwfq@...dex-team.ru>
To:     Jakub Kicinski <kuba@...nel.org>
Cc:     netdev@...r.kernel.org, zeil@...dex-team.ru, ebiederm@...ssion.com,
        davem@...emloft.net
Subject: Re: [PATCH] ipv6: enable net.ipv6.route sysctls in network namespace



> On 21 Sep 2021, at 16:09, Jakub Kicinski <kuba@...nel.org> wrote:
> 
> On Tue, 21 Sep 2021 09:22:04 +0300 Alexander Kuznetsov wrote:
>> We want to increase route cache size in network namespace
>> created with user namespace. Currently ipv6 route settings
>> are disabled for non-initial network namespaces.
>> Since routes are per network namespace it is safe
>> to enable these sysctls.
>> 
>> Signed-off-by: Alexander Kuznetsov <wwfq@...dex-team.ru>
>> Acked-by: Dmitry Yakunin <zeil@...dex-team.ru>
> 
> Your CC list is very narrow. IMO you should CC Eric B on this, 
> at the very least.
> 
> Why only remove this part and not any other part of 464dc801c76aa?

We remove this part by analogy with 5cdda5f1d6add and enable only sysctls that we need.

>> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
>> index b6ddf23..de85e3b 100644
>> --- a/net/ipv6/route.c
>> +++ b/net/ipv6/route.c
>> @@ -6415,10 +6415,6 @@ struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
>> 		table[8].data = &net->ipv6.sysctl.ip6_rt_min_advmss;
>> 		table[9].data = &net->ipv6.sysctl.ip6_rt_gc_min_interval;
>> 		table[10].data = &net->ipv6.sysctl.skip_notify_on_dev_down;
>> -
>> -		/* Don't export sysctls to unprivileged users */
>> -		if (net->user_ns != &init_user_ns)
>> -			table[0].procname = NULL;
>> 	}
>> 
>> 	return table;
> 
> I don't know much about user ns, are we making an assumption here that
> this user ns corresponds to a net ns? Or just because it's _possible_
> to make them 1:1 we can shift the decision to the admin?

Sorry, but I don't understand what you mean.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ