diff options
| author | Krister Johansen <kjlx@templeofstupid.com> | 2017-01-20 20:49:11 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-01-24 12:10:51 -0500 |
| commit | 4548b683b78137f8eadeb312b94e20bb0d4a7141 (patch) | |
| tree | 8b285d141f533807625336c4524411bf31d48d9f /net/sctp/socket.c | |
| parent | d140199af510ad4749dc5e38b7922135258ba5fd (diff) | |
Introduce a sysctl that modifies the value of PROT_SOCK.
Add net.ipv4.ip_unprivileged_port_start, which is a per namespace sysctl
that denotes the first unprivileged inet port in the namespace. To
disable all privileged ports set this to zero. It also checks for
overlap with the local port range. The privileged and local range may
not overlap.
The use case for this change is to allow containerized processes to bind
to priviliged ports, but prevent them from ever being allowed to modify
their container's network configuration. The latter is accomplished by
ensuring that the network namespace is not a child of the user
namespace. This modification was needed to allow the container manager
to disable a namespace's priviliged port restrictions without exposing
control of the network namespace to processes in the user namespace.
Signed-off-by: Krister Johansen <kjlx@templeofstupid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp/socket.c')
| -rw-r--r-- | net/sctp/socket.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index bee4dd3feabb..d699d2cbf275 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c | |||
| @@ -360,7 +360,7 @@ static int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len) | |||
| 360 | } | 360 | } |
| 361 | } | 361 | } |
| 362 | 362 | ||
| 363 | if (snum && snum < PROT_SOCK && | 363 | if (snum && snum < inet_prot_sock(net) && |
| 364 | !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) | 364 | !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) |
| 365 | return -EACCES; | 365 | return -EACCES; |
| 366 | 366 | ||
| @@ -1152,8 +1152,10 @@ static int __sctp_connect(struct sock *sk, | |||
| 1152 | * accept new associations, but it SHOULD NOT | 1152 | * accept new associations, but it SHOULD NOT |
| 1153 | * be permitted to open new associations. | 1153 | * be permitted to open new associations. |
| 1154 | */ | 1154 | */ |
| 1155 | if (ep->base.bind_addr.port < PROT_SOCK && | 1155 | if (ep->base.bind_addr.port < |
| 1156 | !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) { | 1156 | inet_prot_sock(net) && |
| 1157 | !ns_capable(net->user_ns, | ||
| 1158 | CAP_NET_BIND_SERVICE)) { | ||
| 1157 | err = -EACCES; | 1159 | err = -EACCES; |
| 1158 | goto out_free; | 1160 | goto out_free; |
| 1159 | } | 1161 | } |
| @@ -1818,7 +1820,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) | |||
| 1818 | * but it SHOULD NOT be permitted to open new | 1820 | * but it SHOULD NOT be permitted to open new |
| 1819 | * associations. | 1821 | * associations. |
| 1820 | */ | 1822 | */ |
| 1821 | if (ep->base.bind_addr.port < PROT_SOCK && | 1823 | if (ep->base.bind_addr.port < inet_prot_sock(net) && |
| 1822 | !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) { | 1824 | !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE)) { |
| 1823 | err = -EACCES; | 1825 | err = -EACCES; |
| 1824 | goto out_unlock; | 1826 | goto out_unlock; |