[Devel] [PATCH RHEL7 COMMIT] ve/nf_conntrack: allow expose of priviledged sysctl inside containers

[Konstantin Khorenko]

The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.9.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.9.2
------>
commit eb9ee4ecc3144591b867110dbb24aaeb232631d0
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date:   Tue Oct 27 19:47:39 2015 +0400

    ve/nf_conntrack: allow expose of priviledged sysctl inside containers
    
    Series:
    This series brings to vz7 all the nf_conntrack sysctl's,
    which are available in vz6.
    
    https://jira.sw.ru/browse/PSBM-40044
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
    Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 net/netfilter/nf_conntrack_standalone.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index ee2889d..d1915e5 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -477,6 +477,21 @@ static struct ctl_table nf_ct_netfilter_table[] = {
 
 static int zero;
 
+static int nf_conntrack_hide_sysctl(struct net *net)
+{
+	/*
+	 * This can happen only on VE creation, when process created VE cgroup,
+	 * and clones a child with new network namespace.
+	 */
+	if (net->owner_ve->init_cred == NULL)
+		return 0;
+
+	/*
+	 * Expose sysctl only for container's init user namespace
+	 */
+	return net->user_ns != net->owner_ve->init_cred->user_ns;
+}
+
 static int nf_conntrack_standalone_init_sysctl(struct net *net)
 {
 	struct ctl_table *table;
@@ -494,7 +509,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net)
 	table[5].data = &net->ct.expect_max;
 
 	/* Don't export sysctls to unprivileged users */
-	if (net->user_ns != &init_user_ns)
+	if (nf_conntrack_hide_sysctl(net))
 		table[0].procname = NULL;
 
 	if (!net_eq(net, &init_net)) {