Re: [PATCH net-next] net: Enable some sysctls for the userns root with p

To: CGEL <cgel.zte@xxxxxxxxx>, Jakub Kicinski <kuba@xxxxxxxxxx>
Subject: Re: [PATCH net-next] net: Enable some sysctls for the userns root with privilege
Cc: <davem@xxxxxxxxxxxxx>, <alex.aring@xxxxxxxxx>, <stefan@xxxxxxxxxxxxxxxxxx>, <yoshfuji@xxxxxxxxxxxxxx>, <dsahern@xxxxxxxxxx>, <horms@xxxxxxxxxxxx>, <ja@xxxxxx>, <pablo@xxxxxxxxxxxxx>, <kadlec@xxxxxxxxxxxxx>, <fw@xxxxxxxxx>, <steffen.klassert@xxxxxxxxxxx>, <herbert@xxxxxxxxxxxxxxxxxxx>, <daniel@xxxxxxxxxxxxx>, <roopa@xxxxxxxxxx>, <yajun.deng@xxxxxxxxx>, <chinagar@xxxxxxxxxxxxxx>, <xu.xin16@xxxxxxxxxx>, <netdev@xxxxxxxxxxxxxxx>, <linux-kernel@xxxxxxxxxxxxxxx>, <linux-wpan@xxxxxxxxxxxxxxx>, <lvs-devel@xxxxxxxxxxxxxxx>, <netfilter-devel@xxxxxxxxxxxxxxx>, <coreteam@xxxxxxxxxxxxx>, Eric Biederman <ebiederm@xxxxxxxxxxxx>
From: Joanne Koong <joannekoong@xxxxxx>
Date: Tue, 7 Dec 2021 14:16:43 -0800
On 12/6/21 11:18 PM, CGEL wrote:

On Mon, Dec 06, 2021 at 04:45:20PM -0800, Jakub Kicinski wrote:
On Fri,  3 Dec 2021 03:28:15 +0000 cgel.zte@xxxxxxxxx wrote:
From: xu xin <xu.xin16@xxxxxxxxxx>

Enabled sysctls include the followings:
1. net/ipv4/neigh/<if>/*
2. net/ipv6/neigh/<if>/*
3. net/ieee802154/6lowpan/*
4. net/ipv6/route/*
5. net/ipv4/vs/*
6. net/unix/*
7. net/core/xfrm_*

In practical work, some userns with root privilege have needs to adjust
these sysctls in their own netns, but limited just because they are not
init user_ns, even if they are given root privilege by docker -privilege.
You need to justify why removing these checks is safe. It sounds like
you're only describing why having the permissions is problematic, which
is fair but not sufficient to just remove them.

Hi, Jakub
My patch is a little radical. I just saw Eric's previous reply to
These were disabled because out of an abundance of caution.

My original intention is to enable part of syscyls about neighbor which
I think was safe, but I will try to figure out which of these sysctls
are safe to be enabled.

A team at my company has a use case for needing to set the unix sysctls,
so I submitted a patch for enabling the unix sysctl here

Signed-off-by: xu xin <xu.xin16@xxxxxxxxxx>
  net/core/neighbour.c                | 4 ----
  net/ieee802154/6lowpan/reassembly.c | 4 ----
  net/ipv6/route.c                    | 4 ----
  net/netfilter/ipvs/ip_vs_ctl.c      | 4 ----
  net/netfilter/ipvs/ip_vs_lblc.c     | 4 ----
  net/netfilter/ipvs/ip_vs_lblcr.c    | 3 ---
  net/unix/sysctl_net_unix.c          | 4 ----
  net/xfrm/xfrm_sysctl.c              | 4 ----
  8 files changed, 31 deletions(-)

<Prev in Thread] Current Thread [Next in Thread>