Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 464dc801 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by David S. Miller
Browse files

net: Don't export sysctls to unprivileged users 



In preparation for supporting the creation of network namespaces
by unprivileged users, modify all of the per net sysctl exports
and refuse to allow them to unprivileged users.

This makes it safe for unprivileged users in general to access
per net sysctls, and allows sysctls to be exported to unprivileged
users on an individual basis as they are deemed safe.

Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 73f7ef43

net/core/neighbour.c

+4 −0
Original line number Diff line number Diff line
@@ -2987,6 +2987,10 @@ int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p, 
		t->neigh_vars[NEIGH_VAR_BASE_REACHABLE_TIME_MS].extra1 = dev;

	}



	/* Don't export sysctls to unprivileged users */

	if (neigh_parms_net(p)->user_ns != &init_user_ns)

		t->neigh_vars[0].procname = NULL;



	snprintf(neigh_path, sizeof(neigh_path), "net/%s/neigh/%s",

		p_name, dev_name_source);

	t->sysctl_header =

net/core/sysctl_net_core.c

+5 −0
Original line number Diff line number Diff line
@@ -216,6 +216,11 @@ static __net_init int sysctl_core_net_init(struct net *net) 
			goto err_dup;



		tbl[0].data = &net->core.sysctl_somaxconn;



		/* Don't export any sysctls to unprivileged users */

		if (net->user_ns != &init_user_ns) {

			tbl[0].procname = NULL;

		}

	}



	net->core.sysctl_hdr = register_net_sysctl(net, "net/core", tbl);

net/ipv4/devinet.c

+8 −0
Original line number Diff line number Diff line
@@ -1815,6 +1815,10 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name, 
		t->devinet_vars[i].extra2 = net;

	}



	/* Don't export sysctls to unprivileged users */

	if (net->user_ns != &init_user_ns)

		t->devinet_vars[0].procname = NULL;



	snprintf(path, sizeof(path), "net/ipv4/conf/%s", dev_name);



	t->sysctl_header = register_net_sysctl(net, path, t->devinet_vars);
@@ -1900,6 +1904,10 @@ static __net_init int devinet_init_net(struct net *net) 
		tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1];

		tbl[0].extra1 = all;

		tbl[0].extra2 = net;



		/* Don't export sysctls to unprivileged users */

		if (net->user_ns != &init_user_ns)

			tbl[0].procname = NULL;

#endif

	}

net/ipv4/ip_fragment.c

+4 −0
Original line number Diff line number Diff line
@@ -802,6 +802,10 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) 
		table[0].data = &net->ipv4.frags.high_thresh;

		table[1].data = &net->ipv4.frags.low_thresh;

		table[2].data = &net->ipv4.frags.timeout;



		/* Don't export sysctls to unprivileged users */

		if (net->user_ns != &init_user_ns)

			table[0].procname = NULL;

	}



	hdr = register_net_sysctl(net, "net/ipv4", table);

net/ipv4/route.c

+4 −0
Original line number Diff line number Diff line
@@ -2493,6 +2493,10 @@ static __net_init int sysctl_route_net_init(struct net *net) 
		tbl = kmemdup(tbl, sizeof(ipv4_route_flush_table), GFP_KERNEL);

		if (tbl == NULL)

			goto err_dup;



		/* Don't export sysctls to unprivileged users */

		if (net->user_ns != &init_user_ns)

			tbl[0].procname = NULL;

	}

	tbl[0].extra1 = net;