From 08de33cef3d6a540f5c6c686c1abdc264dfa9d33 Mon Sep 17 00:00:00 2001 From: meganz009 Date: Sat, 24 Jun 2023 21:41:29 +0800 Subject: [PATCH 1/2] ipv4: enable route flushing in network namespaces commit 5cdda5f1d6adde02da591ca2196f20289977dc56 upstream. Tools such as vpnc try to flush routes when run inside network namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This currently does not work because flush is not enabled in non-initial network namespaces. Since routes are per network namespace it is safe to enable /proc/sys/net/ipv4/route/flush in there. Link: https://github.com/lxc/lxd/issues/4257 Signed-off-by: Christian Brauner Signed-off-by: David S. Miller Signed-off-by: Wenya Zhang Reviewed-by: Huang Jian --- net/ipv4/route.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 6c7bc99f01c1..3860dc3346a3 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -3107,9 +3107,11 @@ static struct ctl_table ipv4_route_table[] = { { } }; +static const char ipv4_route_flush_procname[] = "flush"; + static struct ctl_table ipv4_route_flush_table[] = { { - .procname = "flush", + .procname = ipv4_route_flush_procname, .maxlen = sizeof(int), .mode = 0200, .proc_handler = ipv4_sysctl_rtcache_flush, @@ -3127,9 +3129,11 @@ static __net_init int sysctl_route_net_init(struct net *net) if (!tbl) goto err_dup; - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) - tbl[0].procname = NULL; + /* Don't export non-whitelisted sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) { + if (tbl[0].procname != ipv4_route_flush_procname) + tbl[0].procname = NULL; + } } tbl[0].extra1 = net; -- Gitee From 50306e53a7dfe077c784790e95824ac44f084e8f Mon Sep 17 00:00:00 2001 From: meganz009 Date: Sat, 24 Jun 2023 21:42:39 +0800 Subject: [PATCH 2/2] net: Enable max_dgram_qlen unix sysctl to be configurable by non-init user namespaces commit cec16052d5a774035fc6da19cb9d09106356bbef upstream. This patch enables the "/proc/sys/net/unix/max_dgram_qlen" sysctl to be exposed to non-init user namespaces. max_dgram_qlen is used as the default "sk_max_ack_backlog" value for when a unix socket is created. Currently, when a networking namespace is initialized, its unix sysctls are exposed only if the user namespace that "owns" it is the init user namespace. If there is an non-init user namespace that "owns" a networking namespace (for example, in the case after we call clone() with both CLONE_NEWUSER and CLONE_NEWNET set), the sysctls are hidden from view and not configurable. Exposing the unix sysctl is safe because any changes made to it will be limited in scope to the networking namespace the non-init user namespace "owns" and has privileges over (changes won't affect any other net namespace). There is also no possibility of a non-privileged user namespace messing up the net namespace sysctls it shares with its parent user namespace. When a new user namespace is created without unsharing the network namespace (eg calling clone() with CLONE_NEWUSER), the new user namespace shares its parent's network namespace. Write access is protected by the mode set in the sysctl's ctl_table (and enforced by procfs). Here in the case of "max_dgram_qlen", 0644 is set; only the user owner has write access. v1 -> v2: * Add more detail to commit message, specify the "/proc/sys/net/unix/max_dgram_qlen" sysctl in commit message. Signed-off-by: Joanne Koong Signed-off-by: David S. Miller Signed-off-by: Wenya Zhang Reviewed-by: Huang Jian --- net/unix/sysctl_net_unix.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c index b3d515021b74..ddac65771ba7 100644 --- a/net/unix/sysctl_net_unix.c +++ b/net/unix/sysctl_net_unix.c @@ -34,10 +34,6 @@ int __net_init unix_sysctl_register(struct net *net) if (table == NULL) goto err_alloc; - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) - table[0].procname = NULL; - table[0].data = &net->unx.sysctl_max_dgram_qlen; net->unx.ctl = register_net_sysctl(net, "net/unix", table); if (net->unx.ctl == NULL) -- Gitee