diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2012-11-16 03:02:59 (GMT) |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-11-19 01:30:55 (GMT) |
| commit | 464dc801c76aa0db88e16e8f5f47c6879858b9b2 (patch) | |
| tree | cfaf0f43f4ce50669f07031ec42062b4c9a7f985 /net/ipv4 | |
| parent | 73f7ef435934e952c1d70d83d69921ea5d1f6bd4 (diff) | |
| download | linux-464dc801c76aa0db88e16e8f5f47c6879858b9b2.tar.xz | |
net: Don't export sysctls to unprivileged users
In preparation for supporting the creation of network namespaces
by unprivileged users, modify all of the per net sysctl exports
and refuse to allow them to unprivileged users.
This makes it safe for unprivileged users in general to access
per net sysctls, and allows sysctls to be exported to unprivileged
users on an individual basis as they are deemed safe.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/devinet.c | 8 | ||||
| -rw-r--r-- | net/ipv4/ip_fragment.c | 4 | ||||
| -rw-r--r-- | net/ipv4/route.c | 4 | ||||
| -rw-r--r-- | net/ipv4/sysctl_net_ipv4.c | 3 |
4 files changed, 19 insertions, 0 deletions
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index f6db227..6e06e92 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -1815,6 +1815,10 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name, t->devinet_vars[i].extra2 = net; } + /* Don't export sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) + t->devinet_vars[0].procname = NULL; + snprintf(path, sizeof(path), "net/ipv4/conf/%s", dev_name); t->sysctl_header = register_net_sysctl(net, path, t->devinet_vars); @@ -1900,6 +1904,10 @@ static __net_init int devinet_init_net(struct net *net) tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1]; tbl[0].extra1 = all; tbl[0].extra2 = net; + + /* Don't export sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) + tbl[0].procname = NULL; #endif } diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index 448e685..1cf6a76 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -802,6 +802,10 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) table[0].data = &net->ipv4.frags.high_thresh; table[1].data = &net->ipv4.frags.low_thresh; table[2].data = &net->ipv4.frags.timeout; + + /* Don't export sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) + table[0].procname = NULL; } hdr = register_net_sysctl(net, "net/ipv4", table); diff --git a/net/ipv4/route.c b/net/ipv4/route.c index a8c65121..5b58788 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2493,6 +2493,10 @@ static __net_init int sysctl_route_net_init(struct net *net) tbl = kmemdup(tbl, sizeof(ipv4_route_flush_table), GFP_KERNEL); if (tbl == NULL) goto err_dup; + + /* Don't export sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) + tbl[0].procname = NULL; } tbl[0].extra1 = net; diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index 63d4ecc..d84400b 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -883,6 +883,9 @@ static __net_init int ipv4_sysctl_init_net(struct net *net) table[6].data = &net->ipv4.sysctl_ping_group_range; + /* Don't export sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) + table[0].procname = NULL; } /* |