subject:"Re\: \[PATCH\] netfilter\: don't permit unprivileged writes to global state via sysctls"

Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls

2016-10-22 Thread David Miller

From: Jann Horn 
Date: Sat, 22 Oct 2016 23:23:42 +0200

> On Thu, Oct 20, 2016 at 02:37:47PM -0400, David Miller wrote:
>> From: Pablo Neira Ayuso 
>> Date: Thu, 20 Oct 2016 20:22:24 +0200
>> 
>> > On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote:
>> >> This prevents the modification of nf_conntrack_max in unprivileged network
>> >> namespaces. For unprivileged network namespaces, ip_conntrack_max is kept
>> >> as a readonly sysctl in order to minimize potential compatibility issues.
>> >> 
>> >> This patch should apply cleanly to the net tree.
>> > 
>> > For the record: This patch looks good to me, but this legacy
>> > ip_conntrack sysctl code is now gone.
>> > 
>> > I don't know what is the procedure to get this to -stable branches now
>> > that this cannot be pushed upstream.
>> 
>> In the commit message for the -stable submission simply say "Not
>> applicable" in the upstream commit reference.  Like:
>> 
>>  [ Upstream commit: Not applicable ]
>> 
>> or something like that.
> 
> Who should do that? Me, after getting a maintainer ack? Or the maintainer?

When the maintainer submits a patch to -stable, that's what they
add to the commit message.

Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls

2016-10-22 Thread Jann Horn

On Thu, Oct 20, 2016 at 02:37:47PM -0400, David Miller wrote:
> From: Pablo Neira Ayuso 
> Date: Thu, 20 Oct 2016 20:22:24 +0200
> 
> > On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote:
> >> This prevents the modification of nf_conntrack_max in unprivileged network
> >> namespaces. For unprivileged network namespaces, ip_conntrack_max is kept
> >> as a readonly sysctl in order to minimize potential compatibility issues.
> >> 
> >> This patch should apply cleanly to the net tree.
> > 
> > For the record: This patch looks good to me, but this legacy
> > ip_conntrack sysctl code is now gone.
> > 
> > I don't know what is the procedure to get this to -stable branches now
> > that this cannot be pushed upstream.
> 
> In the commit message for the -stable submission simply say "Not
> applicable" in the upstream commit reference.  Like:
> 
>   [ Upstream commit: Not applicable ]
> 
> or something like that.

Who should do that? Me, after getting a maintainer ack? Or the maintainer?


signature.asc
Description: Digital signature

Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls

2016-10-20 Thread David Miller

From: Pablo Neira Ayuso 
Date: Thu, 20 Oct 2016 20:22:24 +0200

> On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote:
>> This prevents the modification of nf_conntrack_max in unprivileged network
>> namespaces. For unprivileged network namespaces, ip_conntrack_max is kept
>> as a readonly sysctl in order to minimize potential compatibility issues.
>> 
>> This patch should apply cleanly to the net tree.
> 
> For the record: This patch looks good to me, but this legacy
> ip_conntrack sysctl code is now gone.
> 
> I don't know what is the procedure to get this to -stable branches now
> that this cannot be pushed upstream.

In the commit message for the -stable submission simply say "Not
applicable" in the upstream commit reference.  Like:

[ Upstream commit: Not applicable ]

or something like that.

Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls

2016-10-20 Thread Pablo Neira Ayuso

On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote:
> This prevents the modification of nf_conntrack_max in unprivileged network
> namespaces. For unprivileged network namespaces, ip_conntrack_max is kept
> as a readonly sysctl in order to minimize potential compatibility issues.
> 
> This patch should apply cleanly to the net tree.

For the record: This patch looks good to me, but this legacy
ip_conntrack sysctl code is now gone.

I don't know what is the procedure to get this to -stable branches now
that this cannot be pushed upstream.

> Signed-off-by: Jann Horn 
> ---
>  net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c 
> b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> index ae1a71a..a639e94 100644
> --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> @@ -358,6 +358,9 @@ static int ipv4_init_net(struct net *net)
>   if (!in->ctl_table)
>   return -ENOMEM;
>  
> + if (net->user_ns != _user_ns)
> + in->ctl_table[0].mode = 0444;
> +
>   in->ctl_table[0].data = _conntrack_max;
>   in->ctl_table[1].data = >ct.count;
>   in->ctl_table[2].data = _conntrack_htable_size;
> -- 
> 2.1.4
>

Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls

Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls

Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls

Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls

4 matches

Site Navigation

Mail list logo

Footer information