lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20211207202101.2457994-1-joannekoong@fb.com>
Date:   Tue, 7 Dec 2021 12:21:01 -0800
From:   Joanne Koong <joannekoong@...com>
To:     <netdev@...r.kernel.org>
CC:     <davem@...emloft.net>, <kuba@...nel.org>, <kafai@...com>,
        <Kernel-team@...com>, Joanne Koong <joannekoong@...com>
Subject: [PATCH net-next] net: Enable unix sysctls to be configurable by non-init user namespaces

Currently, when a networking namespace is initialized, its unix sysctls
are exposed only if the user namespace that "owns" it is the init user
namespace.

If there is a non-init user namespace that "owns" a networking
namespace (for example, in the case after we call clone() with both
CLONE_NEWUSER and CLONE_NEWNET set), the sysctls are hidden from view
and not configurable.

This patch enables the unix networking sysctls (there is currently only
1, "sysctl_max_dgram_qlen", which is used as the default
"sk_max_ack_backlog" value when a unix socket is created) to be exposed
to non-init user namespaces.

This is safe because any changes made to these sysctls will be limited
in scope to the networking namespace the non-init user namespace "owns"
and has privileges over.

Signed-off-by: Joanne Koong <joannekoong@...com>
---
 net/unix/sysctl_net_unix.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c
index c09bea89151b..01d44e2598e2 100644
--- a/net/unix/sysctl_net_unix.c
+++ b/net/unix/sysctl_net_unix.c
@@ -30,10 +30,6 @@ int __net_init unix_sysctl_register(struct net *net)
 	if (table == NULL)
 		goto err_alloc;
 
-	/* Don't export sysctls to unprivileged users */
-	if (net->user_ns != &init_user_ns)
-		table[0].procname = NULL;
-
 	table[0].data = &net->unx.sysctl_max_dgram_qlen;
 	net->unx.ctl = register_net_sysctl(net, "net/unix", table);
 	if (net->unx.ctl == NULL)
-- 
2.30.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ