Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp494067pxy; Wed, 5 May 2021 07:12:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxon6iVJYkmu6Zb9qt6WZDVxWNiF9sINa2YG2h2XG7v7vokPuEsFtYhWABjJ+1e9LB0ljnw X-Received: by 2002:a17:906:1684:: with SMTP id s4mr26884667ejd.506.1620223930833; Wed, 05 May 2021 07:12:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620223930; cv=none; d=google.com; s=arc-20160816; b=Ej6UjI6+RZmFygsMDUaP5rVflgChj7W8eDlK78ato+T3GHZ99SH4NMXq0LFi7SgWxc rd8/GjKcBFnvjOI2PYV0XzAWFFvnGe9MN5/1yz/r9KQzoySmE+sIQ7CTS3SYvQxjK/Eq ay+I2IqB0DYR94pdLVokHjhlte3y4EdmgixuLRhiWcqqmO6+ekWVFboFmi+lCDypazUz OovQCc1fp6SdKSFoacb1qD4QNussXhPs/AbJkQBwJ4+2y6x9ts6BHnvpQQVPua5sLYZ2 jLJRNvbUZ+VHBsByR5uynQnYO8Im91e5QA+7Gp6047/XgBlrZ0TPoituW0+FNYCer8vJ PpHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VJozDLeZRByF1s3VlZSg3C4yxznf1egubt/9lhknKrA=; b=TqmtTiHJwNUi6XoBGNZaZa8aAQRHXwehfCvDyC2BEeoaST/SUXCoSDP9eLCjrqkax7 FrixNxijkg9syFfwpJ97Jdx6fr/sBvPAzoNm0arkP7UcRhyhdZneTWhr0k3QUY/8VTOG d75IZNmvorKGpeT6zcIRlnwkQtjNjXpWGDYev1vPI1BKUavjgTIKMS8/wabMUWlzOTQl 5YtMblxaSvej446L+bcdq85WH+b2JkzxH4FMJZm1QBkjH//oT4V+HCjD1XvETWMt/J3q +vPrmOlGiHr3ARsYH1V120x2NUG4EskRMF1ftBkNfnJnP5/cjmokfWFrkizzf5DyjLpI ddQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=huokY62i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e20si5585703ejt.19.2021.05.05.07.11.44; Wed, 05 May 2021 07:12:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=huokY62i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233495AbhEEMMd (ORCPT + 99 others); Wed, 5 May 2021 08:12:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:50558 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233378AbhEEMJz (ORCPT ); Wed, 5 May 2021 08:09:55 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E6B60613BE; Wed, 5 May 2021 12:08:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620216533; bh=jfsNba7U9iA8JZj5ycsqVMIeZBeB2IQaEFt7ctlUEek=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=huokY62ity3rv3k2WgHKDN+XLXZNaIt0Kc2+Vn2KLUlyfxIRC62jglywFvekUiY3C AmcpRxiPhpkaL6gngD9912uTZFHXGFpQIGkFMBFPGlRtT3q06BUiAtCLd0vml2ovCu S2XilPYdX0WVkCunYnqh8lCMwPX67WO/UWUYmXBg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jonathon Reinhart , "David S. Miller" Subject: [PATCH 5.11 02/31] netfilter: conntrack: Make global sysctls readonly in non-init netns Date: Wed, 5 May 2021 14:05:51 +0200 Message-Id: <20210505112326.751636796@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210505112326.672439569@linuxfoundation.org> References: <20210505112326.672439569@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jonathon Reinhart commit 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 upstream. These sysctls point to global variables: - NF_SYSCTL_CT_MAX (&nf_conntrack_max) - NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max) - NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user) Because their data pointers are not updated to point to per-netns structures, they must be marked read-only in a non-init_net ns. Otherwise, changes in any net namespace are reflected in (leaked into) all other net namespaces. This problem has existed since the introduction of net namespaces. The current logic marks them read-only only if the net namespace is owned by an unprivileged user (other than init_user_ns). Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces") "exposes all sysctls even if the namespace is unpriviliged." Since we need to mark them readonly in any case, we can forego the unprivileged user check altogether. Fixes: d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces") Signed-off-by: Jonathon Reinhart Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_conntrack_standalone.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -1060,16 +1060,10 @@ static int nf_conntrack_standalone_init_ nf_conntrack_standalone_init_dccp_sysctl(net, table); nf_conntrack_standalone_init_gre_sysctl(net, table); - /* Don't allow unprivileged users to alter certain sysctls */ - if (net->user_ns != &init_user_ns) { + /* Don't allow non-init_net ns to alter global sysctls */ + if (!net_eq(&init_net, net)) { table[NF_SYSCTL_CT_MAX].mode = 0444; table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; - table[NF_SYSCTL_CT_HELPER].mode = 0444; -#ifdef CONFIG_NF_CONNTRACK_EVENTS - table[NF_SYSCTL_CT_EVENTS].mode = 0444; -#endif - table[NF_SYSCTL_CT_BUCKETS].mode = 0444; - } else if (!net_eq(&init_net, net)) { table[NF_SYSCTL_CT_BUCKETS].mode = 0444; }