[Devel] [PATCH] net: Allow sysctl::ip_nonlocal_bind for VE's init_user_ns

[Kirill Tkhai]

Make it the first number in ipv4_net_table list,
and allow for VE's initial user_ns.

This option should be safe to allow inside container,
though I don't allow other the table options. In ipv6
the similar option is allowed unconditionally.

https://jira.sw.ru/browse/PSBM-60975

Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 net/ipv4/sysctl_net_ipv4.c |   22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 5c5f858f109..20945cb9db3 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -823,6 +823,13 @@ static struct ctl_table ipv4_table[] = {
 };
 
 static struct ctl_table ipv4_net_table[] = {
+	{	/* This must go first. See ipv4_sysctl_init_net() */
+		.procname	= "ip_nonlocal_bind",
+		.data		= &init_net.ipv4_sysctl_ip_nonlocal_bind,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec
+	},
 	{
 		.procname	= "icmp_echo_ignore_all",
 		.data		= &init_net.ipv4.sysctl_icmp_echo_ignore_all,
@@ -906,13 +913,6 @@ static struct ctl_table ipv4_net_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
-	{
-		.procname	= "ip_nonlocal_bind",
-		.data		= &init_net.ipv4_sysctl_ip_nonlocal_bind,
-		.maxlen		= sizeof(int),
-		.mode		= 0644,
-		.proc_handler	= proc_dointvec
-	},
 	{ }
 };
 
@@ -932,8 +932,14 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
 		for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++)
 			table[i].data += (void *)net - (void *)&init_net;
 
+		/*
+		 * Check that it's a creating VE or VE's initial user_ns,
+		 * and allow ip_nonlocal_bind only:
+		 */
+		if (!ve_is_super(get_exec_env()) && !ve_net_hide_sysctl(net))
+			table[1].procname = NULL;
 		/* Don't export sysctls to unprivileged users */
-		if (net->user_ns != &init_user_ns)
+		else if (net->user_ns != &init_user_ns)
 			table[0].procname = NULL;
 	}