[Devel] [RFC 54/54] xfrm_sysctl: fix CONFIG_VE=n build
Eva Kurchatova
eva.kurchatova at virtuozzo.com
Wed Apr 29 22:58:54 MSK 2026
Signed-off-by: Eva Kurchatova <eva.kurchatova at virtuozzo.com>
---
net/xfrm/xfrm_sysctl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/xfrm/xfrm_sysctl.c b/net/xfrm/xfrm_sysctl.c
index 07f78bc6a08e..a57c81f1d179 100644
--- a/net/xfrm/xfrm_sysctl.c
+++ b/net/xfrm/xfrm_sysctl.c
@@ -56,9 +56,15 @@ int __net_init xfrm_sysctl_init(struct net *net)
table[2].data = &net->xfrm.sysctl_larval_drop;
table[3].data = &net->xfrm.sysctl_acq_expires;
+#ifdef CONFIG_VE
/* Export sysctls only to root userns of the host or the container */
if (ve_net_hide_sysctl(net))
table_size = 0;
+#else
+ /* Don't export sysctls to unprivileged users */
+ if (net->user_ns != &init_user_ns)
+ table_size = 0;
+#endif
net->xfrm.sysctl_hdr = register_net_sysctl_sz(net, "net/core", table,
table_size);
--
2.54.0
More information about the Devel
mailing list