Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls
From: Jann HornDate: Sat, 22 Oct 2016 23:23:42 +0200 > On Thu, Oct 20, 2016 at 02:37:47PM -0400, David Miller wrote: >> From: Pablo Neira Ayuso >> Date: Thu, 20 Oct 2016 20:22:24 +0200 >> >> > On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote: >> >> This prevents the modification of nf_conntrack_max in unprivileged network >> >> namespaces. For unprivileged network namespaces, ip_conntrack_max is kept >> >> as a readonly sysctl in order to minimize potential compatibility issues. >> >> >> >> This patch should apply cleanly to the net tree. >> > >> > For the record: This patch looks good to me, but this legacy >> > ip_conntrack sysctl code is now gone. >> > >> > I don't know what is the procedure to get this to -stable branches now >> > that this cannot be pushed upstream. >> >> In the commit message for the -stable submission simply say "Not >> applicable" in the upstream commit reference. Like: >> >> [ Upstream commit: Not applicable ] >> >> or something like that. > > Who should do that? Me, after getting a maintainer ack? Or the maintainer? When the maintainer submits a patch to -stable, that's what they add to the commit message.
Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls
On Thu, Oct 20, 2016 at 02:37:47PM -0400, David Miller wrote: > From: Pablo Neira Ayuso> Date: Thu, 20 Oct 2016 20:22:24 +0200 > > > On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote: > >> This prevents the modification of nf_conntrack_max in unprivileged network > >> namespaces. For unprivileged network namespaces, ip_conntrack_max is kept > >> as a readonly sysctl in order to minimize potential compatibility issues. > >> > >> This patch should apply cleanly to the net tree. > > > > For the record: This patch looks good to me, but this legacy > > ip_conntrack sysctl code is now gone. > > > > I don't know what is the procedure to get this to -stable branches now > > that this cannot be pushed upstream. > > In the commit message for the -stable submission simply say "Not > applicable" in the upstream commit reference. Like: > > [ Upstream commit: Not applicable ] > > or something like that. Who should do that? Me, after getting a maintainer ack? Or the maintainer? signature.asc Description: Digital signature
Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls
From: Pablo Neira AyusoDate: Thu, 20 Oct 2016 20:22:24 +0200 > On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote: >> This prevents the modification of nf_conntrack_max in unprivileged network >> namespaces. For unprivileged network namespaces, ip_conntrack_max is kept >> as a readonly sysctl in order to minimize potential compatibility issues. >> >> This patch should apply cleanly to the net tree. > > For the record: This patch looks good to me, but this legacy > ip_conntrack sysctl code is now gone. > > I don't know what is the procedure to get this to -stable branches now > that this cannot be pushed upstream. In the commit message for the -stable submission simply say "Not applicable" in the upstream commit reference. Like: [ Upstream commit: Not applicable ] or something like that.
Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls
On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote: > This prevents the modification of nf_conntrack_max in unprivileged network > namespaces. For unprivileged network namespaces, ip_conntrack_max is kept > as a readonly sysctl in order to minimize potential compatibility issues. > > This patch should apply cleanly to the net tree. For the record: This patch looks good to me, but this legacy ip_conntrack sysctl code is now gone. I don't know what is the procedure to get this to -stable branches now that this cannot be pushed upstream. > Signed-off-by: Jann Horn> --- > net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c > b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c > index ae1a71a..a639e94 100644 > --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c > +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c > @@ -358,6 +358,9 @@ static int ipv4_init_net(struct net *net) > if (!in->ctl_table) > return -ENOMEM; > > + if (net->user_ns != _user_ns) > + in->ctl_table[0].mode = 0444; > + > in->ctl_table[0].data = _conntrack_max; > in->ctl_table[1].data = >ct.count; > in->ctl_table[2].data = _conntrack_htable_size; > -- > 2.1.4 >