Make it the first number in ipv4_net_table list, and allow for VE's initial user_ns.
This option should be safe to allow inside container, though I don't allow other the table options. In ipv6 the similar option is allowed unconditionally. https://jira.sw.ru/browse/PSBM-60975 Signed-off-by: Kirill Tkhai <[email protected]> --- net/ipv4/sysctl_net_ipv4.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index 5c5f858f109..20945cb9db3 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -823,6 +823,13 @@ static struct ctl_table ipv4_table[] = { }; static struct ctl_table ipv4_net_table[] = { + { /* This must go first. See ipv4_sysctl_init_net() */ + .procname = "ip_nonlocal_bind", + .data = &init_net.ipv4_sysctl_ip_nonlocal_bind, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec + }, { .procname = "icmp_echo_ignore_all", .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, @@ -906,13 +913,6 @@ static struct ctl_table ipv4_net_table[] = { .mode = 0644, .proc_handler = proc_dointvec, }, - { - .procname = "ip_nonlocal_bind", - .data = &init_net.ipv4_sysctl_ip_nonlocal_bind, - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec - }, { } }; @@ -932,8 +932,14 @@ static __net_init int ipv4_sysctl_init_net(struct net *net) for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) table[i].data += (void *)net - (void *)&init_net; + /* + * Check that it's a creating VE or VE's initial user_ns, + * and allow ip_nonlocal_bind only: + */ + if (!ve_is_super(get_exec_env()) && !ve_net_hide_sysctl(net)) + table[1].procname = NULL; /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) + else if (net->user_ns != &init_user_ns) table[0].procname = NULL; } _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
