[Devel] [PATCH RHEL7 COMMIT] ve/net: Allow sysctl::[ip_nonlocal_bind, icmp_echo_ignore_all] for VE's init_user_ns

Konstantin Khorenko khorenko at virtuozzo.com
Mon Jul 3 19:24:59 MSK 2017 

The commit is pushed to "branch-rh7-3.10.0-514.26.1.vz7.33.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.26.1.vz7.33.1
------>
commit 9f42788c258cd3ffe1d5119c27d7fe64e3ce8d9a
Author: Kirill Tkhai <ktkhai at virtuozzo.com>
Date:   Mon Jul 3 20:24:59 2017 +0400

    ve/net: Allow sysctl::[ip_nonlocal_bind,icmp_echo_ignore_all] for VE's init_user_ns
    
    Make "ip_nonlocal_bind" the first number in ipv4_net_table list,
    and allow for VE's initial user_ns along with going next
    "icmp_echo_ignore_all".
    
    These options should be safe to allow inside container,
    though I don't allow other the table options. In ipv6
    "ip_nonlocal_bind" option is allowed unconditionally,
    "icmp_echo_ignore_all" does not exist for ipv6.
    
    https://jira.sw.ru/browse/PSBM-60975
    
    Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 net/ipv4/sysctl_net_ipv4.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 5c5f858..5ad8d0b 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -823,6 +823,13 @@ static struct ctl_table ipv4_table[] = {
 };
 
 static struct ctl_table ipv4_net_table[] = {
+	{	/* This must go first. See ipv4_sysctl_init_net() */
+		.procname	= "ip_nonlocal_bind",
+		.data		= &init_net.ipv4_sysctl_ip_nonlocal_bind,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec
+	},
 	{
 		.procname	= "icmp_echo_ignore_all",
 		.data		= &init_net.ipv4.sysctl_icmp_echo_ignore_all,
@@ -906,13 +913,6 @@ static struct ctl_table ipv4_net_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
-	{
-		.procname	= "ip_nonlocal_bind",
-		.data		= &init_net.ipv4_sysctl_ip_nonlocal_bind,
-		.maxlen		= sizeof(int),
-		.mode		= 0644,
-		.proc_handler	= proc_dointvec
-	},
 	{ }
 };
 
@@ -932,8 +932,14 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
 		for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++)
 			table[i].data += (void *)net - (void *)&init_net;
 
+		/*
+		 * Check that it's a creating VE or VE's initial user_ns,
+		 * and allow ip_nonlocal_bind only:
+		 */
+		if (!ve_is_super(get_exec_env()) && !ve_net_hide_sysctl(net))
+			table[2].procname = NULL;
 		/* Don't export sysctls to unprivileged users */
-		if (net->user_ns != &init_user_ns)
+		else if (net->user_ns != &init_user_ns)
 			table[0].procname = NULL;
 	}

More information about the Devel mailing list