lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20211207214903.7a900743@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Date:   Tue, 7 Dec 2021 21:49:03 -0800
From:   Jakub Kicinski <kuba@...nel.org>
To:     <netdev@...r.kernel.org>
Cc:     Joanne Koong <joannekoong@...com>, <davem@...emloft.net>,
        <kafai@...com>, <Kernel-team@...com>,
        "Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Re: [PATCH net-next] net: Enable unix sysctls to be configurable by
 non-init user namespaces

CC: Eric B

On Tue, 7 Dec 2021 12:21:01 -0800 Joanne Koong wrote:
> Currently, when a networking namespace is initialized, its unix sysctls
> are exposed only if the user namespace that "owns" it is the init user
> namespace.
> 
> If there is a non-init user namespace that "owns" a networking
> namespace (for example, in the case after we call clone() with both
> CLONE_NEWUSER and CLONE_NEWNET set), the sysctls are hidden from view
> and not configurable.
> 
> This patch enables the unix networking sysctls (there is currently only
> 1, "sysctl_max_dgram_qlen", which is used as the default
> "sk_max_ack_backlog" value when a unix socket is created) to be exposed
> to non-init user namespaces.
> 
> This is safe because any changes made to these sysctls will be limited
> in scope to the networking namespace the non-init user namespace "owns"
> and has privileges over.
> 
> Signed-off-by: Joanne Koong <joannekoong@...com>
> ---
>  net/unix/sysctl_net_unix.c | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c
> index c09bea89151b..01d44e2598e2 100644
> --- a/net/unix/sysctl_net_unix.c
> +++ b/net/unix/sysctl_net_unix.c
> @@ -30,10 +30,6 @@ int __net_init unix_sysctl_register(struct net *net)
>  	if (table == NULL)
>  		goto err_alloc;
>  
> -	/* Don't export sysctls to unprivileged users */
> -	if (net->user_ns != &init_user_ns)
> -		table[0].procname = NULL;
> -
>  	table[0].data = &net->unx.sysctl_max_dgram_qlen;
>  	net->unx.ctl = register_net_sysctl(net, "net/unix", table);
>  	if (net->unx.ctl == NULL)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ