From: Jann Horn <j...@thejh.net> Date: Sun, 18 Sep 2016 22:58:20 +0200
> There were two net sysctls that could be written from unprivileged net > namespaces, but weren't actually namespaced. > > To fix the existing issues and prevent stuff this from happening again in > the future, explicitly whitelist permitted sysctls. > > Note: The current whitelist is "allow everything that was previously > accessible and that doesn't obviously modify global state". > > On my system, this patch just removes the write permissions for > ipv4/netfilter/ip_conntrack_max, which would have been usable for a local > DoS. With a different config, the ipv4/vs/debug_level sysctl would also be > affected. > > Maximum impact of this seems to be local DoS, and it's a fairly large > commit, so I'm sending this publicly directly. > > An alternative (and much smaller) fix would be to just change the > permissions of the two files in question to be 0444 in non-privileged > namespaces, but I believe that this solution is slightly less error-prone. > If you think I should switch to the simple fix, let me know. > > Signed-off-by: Jann Horn <j...@thejh.net> I think this is fine for net-next and will apply it there. But for 'net' and 'stable', please also submit the simpler fix. Thanks.