[Devel] [PATCH vz7 1/5] nf_conntrack: allow expose of priviledged sysctl inside containers
Stanislav Kinsburskiy
skinsbursky at odin.com
Tue Oct 6 10:44:43 PDT 2015
From: Stanislav Kinsburskiy <skinsbursky at parallels.com>
Signed-off-by: Stanislav Kinsburskiy <skinsbursky at parallels.com>
---
net/netfilter/nf_conntrack_standalone.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index ee2889d..d1915e5 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -477,6 +477,21 @@ static struct ctl_table nf_ct_netfilter_table[] = {
static int zero;
+static int nf_conntrack_hide_sysctl(struct net *net)
+{
+ /*
+ * This can happen only on VE creation, when process created VE cgroup,
+ * and clones a child with new network namespace.
+ */
+ if (net->owner_ve->init_cred == NULL)
+ return 0;
+
+ /*
+ * Expose sysctl only for container's init user namespace
+ */
+ return net->user_ns != net->owner_ve->init_cred->user_ns;
+}
+
static int nf_conntrack_standalone_init_sysctl(struct net *net)
{
struct ctl_table *table;
@@ -494,7 +509,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net)
table[5].data = &net->ct.expect_max;
/* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
+ if (nf_conntrack_hide_sysctl(net))
table[0].procname = NULL;
if (!net_eq(net, &init_net)) {
More information about the Devel
mailing list