[NETNS][IPV6]: Make mld_max_msf readonly in other namespaces. (7c76509d) · Commits · e / devices / android_kernel_teracube_2e

The mld_max_msf protects the system with a maximum allowed multicast source filters. Making this variable per namespace can be potentially an problem if someone inside a namespace set it to a big value, that will impact the whole system including other namespaces. I don't see any benefits to have it per namespace for now, so in order to keep a directory entry in a newly created namespace, I make it read-only when we are not in the initial network namespace. Signed-off-by:

Daniel Lezcano <dlezcano@fr.ibm.com> Signed-off-by:

David S. Miller <davem@davemloft.net>

net/ipv6/sysctl_net_ipv6.c

+6 −0

Original line number	Original line	Diff line number	Diff line
	@@ -122,6 +122,12 @@ static int ipv6_sysctl_net_init(struct net *net)
	ipv6_table[5].data = &net->ipv6.sysctl.frags.timeout;		ipv6_table[5].data = &net->ipv6.sysctl.frags.timeout;
	ipv6_table[6].data = &net->ipv6.sysctl.frags.secret_interval;		ipv6_table[6].data = &net->ipv6.sysctl.frags.secret_interval;

			/* We don't want this value to be per namespace, it should be global
			to all namespaces, so make it read-only when we are not in the
			init network namespace */
			if (net != &init_net)
			ipv6_table[7].mode = 0444;

	net->ipv6.sysctl.table = register_net_sysctl_table(net, net_ipv6_ctl_path,		net->ipv6.sysctl.table = register_net_sysctl_table(net, net_ipv6_ctl_path,
	ipv6_table);		ipv6_table);
	if (!net->ipv6.sysctl.table)		if (!net->ipv6.sysctl.table)