aboutsummaryrefslogtreecommitdiffstats
path: root/net/netfilter
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2012-11-15 22:02:59 -0500
committerDavid S. Miller <davem@davemloft.net>2012-11-18 20:30:55 -0500
commit464dc801c76aa0db88e16e8f5f47c6879858b9b2 (patch)
treecfaf0f43f4ce50669f07031ec42062b4c9a7f985 /net/netfilter
parent73f7ef435934e952c1d70d83d69921ea5d1f6bd4 (diff)
net: Don't export sysctls to unprivileged users
In preparation for supporting the creation of network namespaces by unprivileged users, modify all of the per net sysctl exports and refuse to allow them to unprivileged users. This makes it safe for unprivileged users in general to access per net sysctls, and allows sysctls to be exported to unprivileged users on an individual basis as they are deemed safe. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/ipvs/ip_vs_ctl.c4
-rw-r--r--net/netfilter/ipvs/ip_vs_lblc.c7
-rw-r--r--net/netfilter/ipvs/ip_vs_lblcr.c4
-rw-r--r--net/netfilter/nf_conntrack_acct.c4
-rw-r--r--net/netfilter/nf_conntrack_ecache.c4
-rw-r--r--net/netfilter/nf_conntrack_helper.c4
-rw-r--r--net/netfilter/nf_conntrack_proto_dccp.c8
-rw-r--r--net/netfilter/nf_conntrack_standalone.c4
-rw-r--r--net/netfilter/nf_conntrack_timestamp.c4
9 files changed, 40 insertions, 3 deletions
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index c4ee43710aab..c6cebd560936 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3699,6 +3699,10 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
3699 tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL); 3699 tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL);
3700 if (tbl == NULL) 3700 if (tbl == NULL)
3701 return -ENOMEM; 3701 return -ENOMEM;
3702
3703 /* Don't export sysctls to unprivileged users */
3704 if (net->user_ns != &init_user_ns)
3705 tbl[0].procname = NULL;
3702 } else 3706 } else
3703 tbl = vs_vars; 3707 tbl = vs_vars;
3704 /* Initialize sysctl defaults */ 3708 /* Initialize sysctl defaults */
diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
index cbd37489ac77..d742aa9780ec 100644
--- a/net/netfilter/ipvs/ip_vs_lblc.c
+++ b/net/netfilter/ipvs/ip_vs_lblc.c
@@ -560,6 +560,11 @@ static int __net_init __ip_vs_lblc_init(struct net *net)
560 GFP_KERNEL); 560 GFP_KERNEL);
561 if (ipvs->lblc_ctl_table == NULL) 561 if (ipvs->lblc_ctl_table == NULL)
562 return -ENOMEM; 562 return -ENOMEM;
563
564 /* Don't export sysctls to unprivileged users */
565 if (net->user_ns != &init_user_ns)
566 ipvs->lblc_ctl_table[0].procname = NULL;
567
563 } else 568 } else
564 ipvs->lblc_ctl_table = vs_vars_table; 569 ipvs->lblc_ctl_table = vs_vars_table;
565 ipvs->sysctl_lblc_expiration = DEFAULT_EXPIRATION; 570 ipvs->sysctl_lblc_expiration = DEFAULT_EXPIRATION;
@@ -569,7 +574,7 @@ static int __net_init __ip_vs_lblc_init(struct net *net)
569 register_net_sysctl(net, "net/ipv4/vs", ipvs->lblc_ctl_table); 574 register_net_sysctl(net, "net/ipv4/vs", ipvs->lblc_ctl_table);
570 if (!ipvs->lblc_ctl_header) { 575 if (!ipvs->lblc_ctl_header) {
571 if (!net_eq(net, &init_net)) 576 if (!net_eq(net, &init_net))
572 kfree(ipvs->lblc_ctl_table); 577 kfree(ipvs->lblc_ctl_table);\
573 return -ENOMEM; 578 return -ENOMEM;
574 } 579 }
575 580
diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
index 161b67972e3f..c03b6a3ade2f 100644
--- a/net/netfilter/ipvs/ip_vs_lblcr.c
+++ b/net/netfilter/ipvs/ip_vs_lblcr.c
@@ -754,6 +754,10 @@ static int __net_init __ip_vs_lblcr_init(struct net *net)
754 GFP_KERNEL); 754 GFP_KERNEL);
755 if (ipvs->lblcr_ctl_table == NULL) 755 if (ipvs->lblcr_ctl_table == NULL)
756 return -ENOMEM; 756 return -ENOMEM;
757
758 /* Don't export sysctls to unprivileged users */
759 if (net->user_ns != &init_user_ns)
760 ipvs->lblcr_ctl_table[0].procname = NULL;
757 } else 761 } else
758 ipvs->lblcr_ctl_table = vs_vars_table; 762 ipvs->lblcr_ctl_table = vs_vars_table;
759 ipvs->sysctl_lblcr_expiration = DEFAULT_EXPIRATION; 763 ipvs->sysctl_lblcr_expiration = DEFAULT_EXPIRATION;
diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c
index d61e0782a797..7df424e2d10c 100644
--- a/net/netfilter/nf_conntrack_acct.c
+++ b/net/netfilter/nf_conntrack_acct.c
@@ -69,6 +69,10 @@ static int nf_conntrack_acct_init_sysctl(struct net *net)
69 69
70 table[0].data = &net->ct.sysctl_acct; 70 table[0].data = &net->ct.sysctl_acct;
71 71
72 /* Don't export sysctls to unprivileged users */
73 if (net->user_ns != &init_user_ns)
74 table[0].procname = NULL;
75
72 net->ct.acct_sysctl_header = register_net_sysctl(net, "net/netfilter", 76 net->ct.acct_sysctl_header = register_net_sysctl(net, "net/netfilter",
73 table); 77 table);
74 if (!net->ct.acct_sysctl_header) { 78 if (!net->ct.acct_sysctl_header) {
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
index de9781b6464f..faa978f1714b 100644
--- a/net/netfilter/nf_conntrack_ecache.c
+++ b/net/netfilter/nf_conntrack_ecache.c
@@ -196,6 +196,10 @@ static int nf_conntrack_event_init_sysctl(struct net *net)
196 table[0].data = &net->ct.sysctl_events; 196 table[0].data = &net->ct.sysctl_events;
197 table[1].data = &net->ct.sysctl_events_retry_timeout; 197 table[1].data = &net->ct.sysctl_events_retry_timeout;
198 198
199 /* Don't export sysctls to unprivileged users */
200 if (net->user_ns != &init_user_ns)
201 table[0].procname = NULL;
202
199 net->ct.event_sysctl_header = 203 net->ct.event_sysctl_header =
200 register_net_sysctl(net, "net/netfilter", table); 204 register_net_sysctl(net, "net/netfilter", table);
201 if (!net->ct.event_sysctl_header) { 205 if (!net->ct.event_sysctl_header) {
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index c4bc637feb76..884f2b39319a 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -64,6 +64,10 @@ static int nf_conntrack_helper_init_sysctl(struct net *net)
64 64
65 table[0].data = &net->ct.sysctl_auto_assign_helper; 65 table[0].data = &net->ct.sysctl_auto_assign_helper;
66 66
67 /* Don't export sysctls to unprivileged users */
68 if (net->user_ns != &init_user_ns)
69 table[0].procname = NULL;
70
67 net->ct.helper_sysctl_header = 71 net->ct.helper_sysctl_header =
68 register_net_sysctl(net, "net/netfilter", table); 72 register_net_sysctl(net, "net/netfilter", table);
69 73
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 6535326cf07c..a8ae287bc7af 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -815,7 +815,7 @@ static struct ctl_table dccp_sysctl_table[] = {
815}; 815};
816#endif /* CONFIG_SYSCTL */ 816#endif /* CONFIG_SYSCTL */
817 817
818static int dccp_kmemdup_sysctl_table(struct nf_proto_net *pn, 818static int dccp_kmemdup_sysctl_table(struct net *net, struct nf_proto_net *pn,
819 struct dccp_net *dn) 819 struct dccp_net *dn)
820{ 820{
821#ifdef CONFIG_SYSCTL 821#ifdef CONFIG_SYSCTL
@@ -836,6 +836,10 @@ static int dccp_kmemdup_sysctl_table(struct nf_proto_net *pn,
836 pn->ctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING]; 836 pn->ctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING];
837 pn->ctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT]; 837 pn->ctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT];
838 pn->ctl_table[7].data = &dn->dccp_loose; 838 pn->ctl_table[7].data = &dn->dccp_loose;
839
840 /* Don't export sysctls to unprivileged users */
841 if (net->user_ns != &init_user_ns)
842 pn->ctl_table[0].procname = NULL;
839#endif 843#endif
840 return 0; 844 return 0;
841} 845}
@@ -857,7 +861,7 @@ static int dccp_init_net(struct net *net, u_int16_t proto)
857 dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL; 861 dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL;
858 } 862 }
859 863
860 return dccp_kmemdup_sysctl_table(pn, dn); 864 return dccp_kmemdup_sysctl_table(net, pn, dn);
861} 865}
862 866
863static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = { 867static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 9b3943252a5e..363285d544a1 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -489,6 +489,10 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net)
489 table[3].data = &net->ct.sysctl_checksum; 489 table[3].data = &net->ct.sysctl_checksum;
490 table[4].data = &net->ct.sysctl_log_invalid; 490 table[4].data = &net->ct.sysctl_log_invalid;
491 491
492 /* Don't export sysctls to unprivileged users */
493 if (net->user_ns != &init_user_ns)
494 table[0].procname = NULL;
495
492 net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table); 496 net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table);
493 if (!net->ct.sysctl_header) 497 if (!net->ct.sysctl_header)
494 goto out_unregister_netfilter; 498 goto out_unregister_netfilter;
diff --git a/net/netfilter/nf_conntrack_timestamp.c b/net/netfilter/nf_conntrack_timestamp.c
index dbb364f62d6f..7ea8026f07c9 100644
--- a/net/netfilter/nf_conntrack_timestamp.c
+++ b/net/netfilter/nf_conntrack_timestamp.c
@@ -51,6 +51,10 @@ static int nf_conntrack_tstamp_init_sysctl(struct net *net)
51 51
52 table[0].data = &net->ct.sysctl_tstamp; 52 table[0].data = &net->ct.sysctl_tstamp;
53 53
54 /* Don't export sysctls to unprivileged users */
55 if (net->user_ns != &init_user_ns)
56 table[0].procname = NULL;
57
54 net->ct.tstamp_sysctl_header = register_net_sysctl(net, "net/netfilter", 58 net->ct.tstamp_sysctl_header = register_net_sysctl(net, "net/netfilter",
55 table); 59 table);
56 if (!net->ct.tstamp_sysctl_header) { 60 if (!net->ct.tstamp_sysctl_header) {
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-21 11:39:40 -0400