net: Enable some sysctls that are safe for the userns root

- Enable the per device ipv4 sysctls: net/ipv4/conf/<if>/forwarding net/ipv4/conf/<if>/mc_forwarding net/ipv4/conf/<if>/accept_redirects net/ipv4/conf/<if>/secure_redirects net/ipv4/conf/<if>/shared_media net/ipv4/conf/<if>/rp_filter net/ipv4/conf/<if>/send_redirects net/ipv4/conf/<if>/accept_source_route net/ipv4/conf/<if>/accept_local net/ipv4/conf/<if>/src_valid_mark net/ipv4/conf/<if>/proxy_arp net/ipv4/conf/<if>/medium_id net/ipv4/conf/<if>/bootp_relay net/ipv4/conf/<if>/log_martians net/ipv4/conf/<if>/tag net/ipv4/conf/<if>/arp_filter net/ipv4/conf/<if>/arp_announce net/ipv4/conf/<if>/arp_ignore net/ipv4/conf/<if>/arp_accept net/ipv4/conf/<if>/arp_notify net/ipv4/conf/<if>/proxy_arp_pvlan net/ipv4/conf/<if>/disable_xfrm net/ipv4/conf/<if>/disable_policy net/ipv4/conf/<if>/force_igmp_version net/ipv4/conf/<if>/promote_secondaries net/ipv4/conf/<if>/route_localnet - Enable the global ipv4 sysctl: net/ipv4/ip_forward - Enable the per device ipv6 sysctls: net/ipv6/conf/<if>/forwarding net/ipv6/conf/<if>/hop_limit net/ipv6/conf/<if>/mtu net/ipv6/conf/<if>/accept_ra net/ipv6/conf/<if>/accept_redirects net/ipv6/conf/<if>/autoconf net/ipv6/conf/<if>/dad_transmits net/ipv6/conf/<if>/router_solicitations net/ipv6/conf/<if>/router_solicitation_interval net/ipv6/conf/<if>/router_solicitation_delay net/ipv6/conf/<if>/force_mld_version net/ipv6/conf/<if>/use_tempaddr net/ipv6/conf/<if>/temp_valid_lft net/ipv6/conf/<if>/temp_prefered_lft net/ipv6/conf/<if>/regen_max_retry net/ipv6/conf/<if>/max_desync_factor net/ipv6/conf/<if>/max_addresses net/ipv6/conf/<if>/accept_ra_defrtr net/ipv6/conf/<if>/accept_ra_pinfo net/ipv6/conf/<if>/accept_ra_rtr_pref net/ipv6/conf/<if>/router_probe_interval net/ipv6/conf/<if>/accept_ra_rt_info_max_plen net/ipv6/conf/<if>/proxy_ndp net/ipv6/conf/<if>/accept_source_route net/ipv6/conf/<if>/optimistic_dad net/ipv6/conf/<if>/mc_forwarding net/ipv6/conf/<if>/disable_ipv6 net/ipv6/conf/<if>/accept_dad net/ipv6/conf/<if>/force_tllao - Enable the global ipv6 sysctls: net/ipv6/bindv6only net/ipv6/icmp/ratelimit Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric W. Biederman <ebiederm@xmission.com> 2012-11-15 22:03:10 -0500
committer: David S. Miller <davem@davemloft.net> 2012-11-18 20:33:00 -0500
commit: c027aab4a6b1fe2541090ac04bee8ad246aeef70 (patch)
tree: e53b0a69cba2bd4476812f06e97986bcdfb0195c
parent: 276996fda0f33bd5e5e028c426f852ecd119372b (diff)
4 files changed, 1 insertions, 22 deletions
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 259622a5e690..298c1c279739 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1821,10 +1821,6 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name,
                t->devinet_vars[i].extra2 = net;
        }
-        /* Don't export sysctls to unprivileged users */
-        if (net->user_ns != &init_user_ns)
-                t->devinet_vars[0].procname = NULL;
        snprintf(path, sizeof(path), "net/ipv4/conf/%s", dev_name);
        t->sysctl_header = register_net_sysctl(net, path, t->devinet_vars);
@@ -1910,10 +1906,6 @@ static __net_init int devinet_init_net(struct net *net)
                tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1];
                tbl[0].extra1 = all;
                tbl[0].extra2 = net;
-                /* Don't export sysctls to unprivileged users */
-                if (net->user_ns != &init_user_ns)
-                        tbl[0].procname = NULL;
 #endif
        }
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 67ac9f8d1976..d39fe490da08 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4741,10 +4741,6 @@ static int __addrconf_sysctl_register(struct net *net, char *dev_name,
                t->addrconf_vars[i].extra2 = net;
        }
-        /* Don't export sysctls to unprivileged users */
-        if (net->user_ns != &init_user_ns)
-                t->addrconf_vars[0].procname = NULL;
        snprintf(path, sizeof(path), "net/ipv6/conf/%s", dev_name);
        t->sysctl_header = register_net_sysctl(net, path, t->addrconf_vars);
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index d77dc1e2a42b..b4a9fd51dae7 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -967,14 +967,9 @@ struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
                        sizeof(ipv6_icmp_table_template),
                        GFP_KERNEL);
-        if (table) {
+        if (table)
                table[0].data = &net->ipv6.sysctl.icmpv6_time;
-                /* Don't export sysctls to unprivileged users */
-                if (net->user_ns != &init_user_ns)
-                        table[0].procname = NULL;
-        }
        return table;
 }
 #endif
diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
index b06fd078e6c7..e85c48bd404f 100644
--- a/net/ipv6/sysctl_net_ipv6.c
+++ b/net/ipv6/sysctl_net_ipv6.c
@@ -52,10 +52,6 @@ static int __net_init ipv6_sysctl_net_init(struct net *net)
                goto out;
        ipv6_table[0].data = &net->ipv6.sysctl.bindv6only;
-        /* Don't export sysctls to unprivileged users */
-        if (net->user_ns != &init_user_ns)
-                ipv6_table[0].procname = NULL;
        ipv6_route_table = ipv6_route_sysctl_init(net);
        if (!ipv6_route_table)
                goto out_ipv6_table;
author	Eric W. Biederman <ebiederm@xmission.com>	2012-11-15 22:03:10 -0500
committer	David S. Miller <davem@davemloft.net>	2012-11-18 20:33:00 -0500
commit	c027aab4a6b1fe2541090ac04bee8ad246aeef70 (patch)
tree	e53b0a69cba2bd4476812f06e97986bcdfb0195c
parent	276996fda0f33bd5e5e028c426f852ecd119372b (diff)