Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.

2017-10-31 Thread Eric W. Biederman 
Rob Landley  writes:

> From: Rob Landley 
>
> See message from the Android "native tools and libraries team" lead
> (I.E. the maintainer of bionic, adb, toolbox, etc) at
> http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html

Sigh.  The list has no https access so it is unreachable here, and even
if it were I would not be able to verify that was not some spoofed
or someone was not hacking the contents of the list archive in flight.

As for the patch itself going from no group is allowed to reate ping sockets by
default to everyone may create ping sockets by default seems potentially
dangerous.

Why in the world would this be safe?
Why would this be wise?

Eric


> Signed-off-by: Rob Landley 
> ---
>
>  net/ipv4/af_inet.c |8 ++--
>  1 file changed, 2 insertions(+), 6 deletions(-)
>
> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
> index e31108e..5b39a96 100644
> --- a/net/ipv4/af_inet.c
> +++ b/net/ipv4/af_inet.c
> @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net)
>   net->ipv4.ip_local_ports.range[1] =  60999;
>  
>   seqlock_init(>ipv4.ping_group_range.lock);
> - /*
> -  * Sane defaults - nobody may create ping sockets.
> -  * Boot scripts should set this to distro-specific group.
> -  */
> - net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1);
> - net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0);
> + net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0);
> + net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 
> 2147483647);
>  
>   /* Default values for sysctl-controlled parameters.
>* We set them here, in case sysctl is not compiled.

Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.

2017-10-31 Thread Eric W. Biederman 
Rob Landley  writes:

> From: Rob Landley 
>
> See message from the Android "native tools and libraries team" lead
> (I.E. the maintainer of bionic, adb, toolbox, etc) at
> http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html

Sigh.  The list has no https access so it is unreachable here, and even
if it were I would not be able to verify that was not some spoofed
or someone was not hacking the contents of the list archive in flight.

As for the patch itself going from no group is allowed to reate ping sockets by
default to everyone may create ping sockets by default seems potentially
dangerous.

Why in the world would this be safe?
Why would this be wise?

Eric


> Signed-off-by: Rob Landley 
> ---
>
>  net/ipv4/af_inet.c |8 ++--
>  1 file changed, 2 insertions(+), 6 deletions(-)
>
> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
> index e31108e..5b39a96 100644
> --- a/net/ipv4/af_inet.c
> +++ b/net/ipv4/af_inet.c
> @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net)
>   net->ipv4.ip_local_ports.range[1] =  60999;
>  
>   seqlock_init(>ipv4.ping_group_range.lock);
> - /*
> -  * Sane defaults - nobody may create ping sockets.
> -  * Boot scripts should set this to distro-specific group.
> -  */
> - net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1);
> - net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0);
> + net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0);
> + net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 
> 2147483647);
>  
>   /* Default values for sysctl-controlled parameters.
>* We set them here, in case sysctl is not compiled.

Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.

2017-10-31 Thread Randy Dunlap 
On 10/30/2017 08:39 PM, Rob Landley wrote:
> From: Rob Landley 
> 
> See message from the Android "native tools and libraries team" lead
> (I.E. the maintainer of bionic, adb, toolbox, etc) at
> http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html
> 
> Signed-off-by: Rob Landley 
> ---
> 
>  net/ipv4/af_inet.c |8 ++--
>  1 file changed, 2 insertions(+), 6 deletions(-)
> 
> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
> index e31108e..5b39a96 100644
> --- a/net/ipv4/af_inet.c
> +++ b/net/ipv4/af_inet.c
> @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net)
>   net->ipv4.ip_local_ports.range[1] =  60999;
>  
>   seqlock_init(>ipv4.ping_group_range.lock);
> - /*
> -  * Sane defaults - nobody may create ping sockets.
> -  * Boot scripts should set this to distro-specific group.
> -  */
> - net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1);
> - net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0);
> + net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0);
> + net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 
> 2147483647);

It would help me to know that that magic number is 0x7fff.

>   /* Default values for sysctl-controlled parameters.
>* We set them here, in case sysctl is not compiled.
> 


-- 
~Randy

Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.

2017-10-31 Thread Randy Dunlap 
On 10/30/2017 08:39 PM, Rob Landley wrote:
> From: Rob Landley 
> 
> See message from the Android "native tools and libraries team" lead
> (I.E. the maintainer of bionic, adb, toolbox, etc) at
> http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html
> 
> Signed-off-by: Rob Landley 
> ---
> 
>  net/ipv4/af_inet.c |8 ++--
>  1 file changed, 2 insertions(+), 6 deletions(-)
> 
> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
> index e31108e..5b39a96 100644
> --- a/net/ipv4/af_inet.c
> +++ b/net/ipv4/af_inet.c
> @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net)
>   net->ipv4.ip_local_ports.range[1] =  60999;
>  
>   seqlock_init(>ipv4.ping_group_range.lock);
> - /*
> -  * Sane defaults - nobody may create ping sockets.
> -  * Boot scripts should set this to distro-specific group.
> -  */
> - net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1);
> - net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0);
> + net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0);
> + net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 
> 2147483647);

It would help me to know that that magic number is 0x7fff.

>   /* Default values for sysctl-controlled parameters.
>* We set them here, in case sysctl is not compiled.
> 


-- 
~Randy

Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.

2017-10-31 Thread David Miller 

Please CC: net...@vger.kernel.org for all networking patches.  Asking
qustions on lkml about networking issues is unlikely to obtain a
response.

Also, instead of giving an external refernce to a web site discussion,
you must explain _in painful detail_ in your commit message the
reasons for making this change.  Just "Android does it this way" is
not an acceptable reason.

People should be able to read the commit message and completely
understand why a change was made.

Thanks.

Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.

2017-10-31 Thread David Miller 

Please CC: net...@vger.kernel.org for all networking patches.  Asking
qustions on lkml about networking issues is unlikely to obtain a
response.

Also, instead of giving an external refernce to a web site discussion,
you must explain _in painful detail_ in your commit message the
reasons for making this change.  Just "Android does it this way" is
not an acceptable reason.

People should be able to read the commit message and completely
understand why a change was made.

Thanks.

[PATCH 1/1] Change ping_group_range default to what Android's init script sets.

2017-10-30 Thread Rob Landley 
From: Rob Landley 

See message from the Android "native tools and libraries team" lead
(I.E. the maintainer of bionic, adb, toolbox, etc) at
http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html

Signed-off-by: Rob Landley 
---

 net/ipv4/af_inet.c |8 ++--
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index e31108e..5b39a96 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net)
net->ipv4.ip_local_ports.range[1] =  60999;
 
seqlock_init(>ipv4.ping_group_range.lock);
-   /*
-* Sane defaults - nobody may create ping sockets.
-* Boot scripts should set this to distro-specific group.
-*/
-   net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1);
-   net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0);
+   net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0);
+   net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 
2147483647);
 
/* Default values for sysctl-controlled parameters.
 * We set them here, in case sysctl is not compiled.

[PATCH 1/1] Change ping_group_range default to what Android's init script sets.

2017-10-30 Thread Rob Landley 
From: Rob Landley 

See message from the Android "native tools and libraries team" lead
(I.E. the maintainer of bionic, adb, toolbox, etc) at
http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html

Signed-off-by: Rob Landley 
---

 net/ipv4/af_inet.c |8 ++--
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index e31108e..5b39a96 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net)
net->ipv4.ip_local_ports.range[1] =  60999;
 
seqlock_init(>ipv4.ping_group_range.lock);
-   /*
-* Sane defaults - nobody may create ping sockets.
-* Boot scripts should set this to distro-specific group.
-*/
-   net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1);
-   net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0);
+   net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0);
+   net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 
2147483647);
 
/* Default values for sysctl-controlled parameters.
 * We set them here, in case sysctl is not compiled.