lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20220118085940.6d7b4a88@kicinski-fedora-PC1C0HJN.hsd1.ca.comcast.net>
Date:   Tue, 18 Jan 2022 08:59:40 -0800
From:   Jakub Kicinski <kuba@...nel.org>
To:     Sasha Levin <sashal@...nel.org>
Cc:     linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        xu xin <xu.xin16@....com.cn>, Zeal Robot <zealci@....com.cn>,
        Joanne Koong <joannekoong@...com>,
        "David S . Miller" <davem@...emloft.net>, daniel@...earbox.net,
        dsahern@...nel.org, roopa@...dia.com, edumazet@...gle.com,
        chinagar@...eaurora.org, yajun.deng@...ux.dev,
        netdev@...r.kernel.org
Subject: Re: [PATCH AUTOSEL 5.16 118/217] net: Enable neighbor sysctls that
 is save for userns root

On Mon, 17 Jan 2022 21:18:01 -0500 Sasha Levin wrote:
> From: xu xin <xu.xin16@....com.cn>
> 
> [ Upstream commit 8c8b7aa7fb0cf9e1cc9204e6bc6e1353b8393502 ]
> 
> Inside netns owned by non-init userns, sysctls about ARP/neighbor is
> currently not visible and configurable.
> 
> For the attributes these sysctls correspond to, any modifications make
> effects on the performance of networking(ARP, especilly) only in the
> scope of netns, which does not affect other netns.
> 
> Actually, some tools via netlink can modify these attribute. iproute2 is
> an example. see as follows:
> 
> $ unshare -ur -n
> $ cat /proc/sys/net/ipv4/neigh/lo/retrans_time
> cat: can't open '/proc/sys/net/ipv4/neigh/lo/retrans_time': No such file
> or directory
> $ ip ntable show dev lo
> inet arp_cache
>     dev lo
>     refcnt 1 reachable 19494 base_reachable 30000 retrans 1000
>     gc_stale 60000 delay_probe 5000 queue 101
>     app_probes 0 ucast_probes 3 mcast_probes 3
>     anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000
> 
> inet6 ndisc_cache
>     dev lo
>     refcnt 1 reachable 42394 base_reachable 30000 retrans 1000
>     gc_stale 60000 delay_probe 5000 queue 101
>     app_probes 0 ucast_probes 3 mcast_probes 3
>     anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0
> $ ip ntable change name arp_cache dev <if> retrans 2000
> inet arp_cache
>     dev lo
>     refcnt 1 reachable 22917 base_reachable 30000 retrans 2000
>     gc_stale 60000 delay_probe 5000 queue 101
>     app_probes 0 ucast_probes 3 mcast_probes 3
>     anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000
> 
> inet6 ndisc_cache
>     dev lo
>     refcnt 1 reachable 35524 base_reachable 30000 retrans 1000
>     gc_stale 60000 delay_probe 5000 queue 101
>     app_probes 0 ucast_probes 3 mcast_probes 3
>     anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0
> 
> Reported-by: Zeal Robot <zealci@....com.cn>
> Signed-off-by: xu xin <xu.xin16@....com.cn>
> Acked-by: Joanne Koong <joannekoong@...com>
> Signed-off-by: David S. Miller <davem@...emloft.net>
> Signed-off-by: Sasha Levin <sashal@...nel.org>

Not a fix, IDK how the "Zeal Robot" "reported" that a sysctl is not
exposed under uesr ns, that's probably what throws off matchers :/
Anyway - it's a feature.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ