Re: [PATCH net-next] net: Enable some sysctls for the userns root with privilege
From: Joanne Koong
Date: Tue Dec 07 2021 - 17:19:26 EST
On 12/6/21 11:18 PM, CGEL wrote:
On Mon, Dec 06, 2021 at 04:45:20PM -0800, Jakub Kicinski wrote:
On Fri, 3 Dec 2021 03:28:15 +0000 cgel.zte@xxxxxxxxx wrote:
From: xu xin <xu.xin16@xxxxxxxxxx>
Enabled sysctls include the followings:
1. net/ipv4/neigh/<if>/*
2. net/ipv6/neigh/<if>/*
3. net/ieee802154/6lowpan/*
4. net/ipv6/route/*
5. net/ipv4/vs/*
6. net/unix/*
7. net/core/xfrm_*
In practical work, some userns with root privilege have needs to adjust
these sysctls in their own netns, but limited just because they are not
init user_ns, even if they are given root privilege by docker -privilege.
You need to justify why removing these checks is safe. It sounds like
you're only describing why having the permissions is problematic, which
is fair but not sufficient to just remove them.
Hi, Jakub
My patch is a little radical. I just saw Eric's previous reply to
Alexander(https://lore.kernel.org/all/87pmsqyuqy.fsf@disp2133/).
These were disabled because out of an abundance of caution.
My original intention is to enable part of syscyls about neighbor which
I think was safe, but I will try to figure out which of these sysctls
are safe to be enabled.
A team at my company has a use case for needing to set the unix sysctls,
so I submitted a patch for enabling the unix sysctl here
https://lore.kernel.org/netdev/20211207202101.2457994-1-joannekoong@xxxxxx/T/#u
[...]
Signed-off-by: xu xin <xu.xin16@xxxxxxxxxx>
---
net/core/neighbour.c | 4 ----
net/ieee802154/6lowpan/reassembly.c | 4 ----
net/ipv6/route.c | 4 ----
net/netfilter/ipvs/ip_vs_ctl.c | 4 ----
net/netfilter/ipvs/ip_vs_lblc.c | 4 ----
net/netfilter/ipvs/ip_vs_lblcr.c | 3 ---
net/unix/sysctl_net_unix.c | 4 ----
net/xfrm/xfrm_sysctl.c | 4 ----
8 files changed, 31 deletions(-)