Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.
Rob Landleywrites: > From: Rob Landley > > See message from the Android "native tools and libraries team" lead > (I.E. the maintainer of bionic, adb, toolbox, etc) at > http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html Sigh. The list has no https access so it is unreachable here, and even if it were I would not be able to verify that was not some spoofed or someone was not hacking the contents of the list archive in flight. As for the patch itself going from no group is allowed to reate ping sockets by default to everyone may create ping sockets by default seems potentially dangerous. Why in the world would this be safe? Why would this be wise? Eric > Signed-off-by: Rob Landley > --- > > net/ipv4/af_inet.c |8 ++-- > 1 file changed, 2 insertions(+), 6 deletions(-) > > diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c > index e31108e..5b39a96 100644 > --- a/net/ipv4/af_inet.c > +++ b/net/ipv4/af_inet.c > @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net) > net->ipv4.ip_local_ports.range[1] = 60999; > > seqlock_init(>ipv4.ping_group_range.lock); > - /* > - * Sane defaults - nobody may create ping sockets. > - * Boot scripts should set this to distro-specific group. > - */ > - net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1); > - net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0); > + net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0); > + net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, > 2147483647); > > /* Default values for sysctl-controlled parameters. >* We set them here, in case sysctl is not compiled.
Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.
Rob Landley writes: > From: Rob Landley > > See message from the Android "native tools and libraries team" lead > (I.E. the maintainer of bionic, adb, toolbox, etc) at > http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html Sigh. The list has no https access so it is unreachable here, and even if it were I would not be able to verify that was not some spoofed or someone was not hacking the contents of the list archive in flight. As for the patch itself going from no group is allowed to reate ping sockets by default to everyone may create ping sockets by default seems potentially dangerous. Why in the world would this be safe? Why would this be wise? Eric > Signed-off-by: Rob Landley > --- > > net/ipv4/af_inet.c |8 ++-- > 1 file changed, 2 insertions(+), 6 deletions(-) > > diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c > index e31108e..5b39a96 100644 > --- a/net/ipv4/af_inet.c > +++ b/net/ipv4/af_inet.c > @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net) > net->ipv4.ip_local_ports.range[1] = 60999; > > seqlock_init(>ipv4.ping_group_range.lock); > - /* > - * Sane defaults - nobody may create ping sockets. > - * Boot scripts should set this to distro-specific group. > - */ > - net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1); > - net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0); > + net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0); > + net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, > 2147483647); > > /* Default values for sysctl-controlled parameters. >* We set them here, in case sysctl is not compiled.
Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.
On 10/30/2017 08:39 PM, Rob Landley wrote: > From: Rob Landley> > See message from the Android "native tools and libraries team" lead > (I.E. the maintainer of bionic, adb, toolbox, etc) at > http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html > > Signed-off-by: Rob Landley > --- > > net/ipv4/af_inet.c |8 ++-- > 1 file changed, 2 insertions(+), 6 deletions(-) > > diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c > index e31108e..5b39a96 100644 > --- a/net/ipv4/af_inet.c > +++ b/net/ipv4/af_inet.c > @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net) > net->ipv4.ip_local_ports.range[1] = 60999; > > seqlock_init(>ipv4.ping_group_range.lock); > - /* > - * Sane defaults - nobody may create ping sockets. > - * Boot scripts should set this to distro-specific group. > - */ > - net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1); > - net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0); > + net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0); > + net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, > 2147483647); It would help me to know that that magic number is 0x7fff. > /* Default values for sysctl-controlled parameters. >* We set them here, in case sysctl is not compiled. > -- ~Randy
Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.
On 10/30/2017 08:39 PM, Rob Landley wrote: > From: Rob Landley > > See message from the Android "native tools and libraries team" lead > (I.E. the maintainer of bionic, adb, toolbox, etc) at > http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html > > Signed-off-by: Rob Landley > --- > > net/ipv4/af_inet.c |8 ++-- > 1 file changed, 2 insertions(+), 6 deletions(-) > > diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c > index e31108e..5b39a96 100644 > --- a/net/ipv4/af_inet.c > +++ b/net/ipv4/af_inet.c > @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net) > net->ipv4.ip_local_ports.range[1] = 60999; > > seqlock_init(>ipv4.ping_group_range.lock); > - /* > - * Sane defaults - nobody may create ping sockets. > - * Boot scripts should set this to distro-specific group. > - */ > - net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1); > - net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0); > + net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0); > + net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, > 2147483647); It would help me to know that that magic number is 0x7fff. > /* Default values for sysctl-controlled parameters. >* We set them here, in case sysctl is not compiled. > -- ~Randy
Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.
Please CC: net...@vger.kernel.org for all networking patches. Asking qustions on lkml about networking issues is unlikely to obtain a response. Also, instead of giving an external refernce to a web site discussion, you must explain _in painful detail_ in your commit message the reasons for making this change. Just "Android does it this way" is not an acceptable reason. People should be able to read the commit message and completely understand why a change was made. Thanks.
Re: [PATCH 1/1] Change ping_group_range default to what Android's init script sets.
Please CC: net...@vger.kernel.org for all networking patches. Asking qustions on lkml about networking issues is unlikely to obtain a response. Also, instead of giving an external refernce to a web site discussion, you must explain _in painful detail_ in your commit message the reasons for making this change. Just "Android does it this way" is not an acceptable reason. People should be able to read the commit message and completely understand why a change was made. Thanks.
[PATCH 1/1] Change ping_group_range default to what Android's init script sets.
From: Rob LandleySee message from the Android "native tools and libraries team" lead (I.E. the maintainer of bionic, adb, toolbox, etc) at http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html Signed-off-by: Rob Landley --- net/ipv4/af_inet.c |8 ++-- 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index e31108e..5b39a96 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net) net->ipv4.ip_local_ports.range[1] = 60999; seqlock_init(>ipv4.ping_group_range.lock); - /* -* Sane defaults - nobody may create ping sockets. -* Boot scripts should set this to distro-specific group. -*/ - net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1); - net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0); + net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0); + net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 2147483647); /* Default values for sysctl-controlled parameters. * We set them here, in case sysctl is not compiled.
[PATCH 1/1] Change ping_group_range default to what Android's init script sets.
From: Rob Landley See message from the Android "native tools and libraries team" lead (I.E. the maintainer of bionic, adb, toolbox, etc) at http://lists.landley.net/pipermail/toybox-landley.net/2017-July/009103.html Signed-off-by: Rob Landley --- net/ipv4/af_inet.c |8 ++-- 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index e31108e..5b39a96 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net) net->ipv4.ip_local_ports.range[1] = 60999; seqlock_init(>ipv4.ping_group_range.lock); - /* -* Sane defaults - nobody may create ping sockets. -* Boot scripts should set this to distro-specific group. -*/ - net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 1); - net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 0); + net->ipv4.ping_group_range.range[0] = make_kgid(_user_ns, 0); + net->ipv4.ping_group_range.range[1] = make_kgid(_user_ns, 2147483647); /* Default values for sysctl-controlled parameters. * We set them here, in case sysctl is not compiled.