Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp4528313imw;
        Tue, 12 Jul 2022 09:26:52 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1s97gV7GRsvinKML/XzHTG5bA6go1bExooLEvVk284vED2UDc8WrWL26mbJNSnCC0mVa1iq
X-Received: by 2002:a05:6402:7da:b0:43a:6fe3:b7a9 with SMTP id u26-20020a05640207da00b0043a6fe3b7a9mr32857190edy.410.1657643212289;
        Tue, 12 Jul 2022 09:26:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1657643212; cv=none;
        d=google.com; s=arc-20160816;
        b=y48t9bCSBiPIEhEg+7lRxmhx9+0AjkltIMCq9xAUIn6Y0Vj9iYKdDv90DeXsq/z3Cu
         QcZEnFQX5SAWb/sy2KMMBjIcXLqEm01krEzCRlsm7z3dijSUjzhWF7tf+oJrHL/+ZgaM
         8UwOMFL4qLSLlmwP5StcK67IlNxeyfgoDZRvw9pns0lC5NIu/zzaI7J8ypekpBZ1kHTW
         mWKbTTfARQZq0dR+kuALHjmfOX3qgm1QY+hoPC7XKLpiyQNq+hpV8WnoVHQOZui77I4Z
         hM+lnQVV5sKgUCMLAvDwmAJoJFowBLkW++j7I582wHrKJpmeN38K8gmbu1eXoZxn1x6Y
         DK1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=7MJZ1GfcSnd6FqCVNUnV7VbvoSCn7Bh8e2vuq3082Yg=;
        b=iPSexDvDmyDcoBA5uUcD+SDYHqKMUJXblxkXqtNOxJwsx3RUfx6aQvfqh9Y91m4V/F
         Qap1mIq857i3HohHolvgGrpc1E1gzj1PRvO/11rT3/RswM7YDDy6PKsa9Ffi5y17mqVT
         zK4f9lAd/mHwE+woPLu6iC1yBV6cRyt4E7pVjntCXN4LJxYetDaz6c9KLk11QrrSIW71
         0ACkNWGAqsDgSzlAdolZmKr9wFHGl4kp7KXGLvyUtqVrTOYepl2YPNF2yQPU+q6oGbCv
         VbtVu7ATv2THkYXzbb+SOXqnygzVD1MS73ZTPdas6/LuqmylCm1gx3ayARr6MnAi4cm1
         PDcA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id b9-20020a056402084900b0043ae850a263si4562154edz.189.2022.07.12.09.26.26;
        Tue, 12 Jul 2022 09:26:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234326AbiGLQSB (ORCPT <rfc822;alexzyp@gmail.com> + 99 others);
        Tue, 12 Jul 2022 12:18:01 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33492 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234323AbiGLQSA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Jul 2022 12:18:00 -0400
Received: from us-smtp-delivery-44.mimecast.com (us-smtp-delivery-44.mimecast.com [205.139.111.44])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 03385CA6D5
        for <linux-kernel@vger.kernel.org>; Tue, 12 Jul 2022 09:17:59 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-394-LZqbPCi_PCW3Nr9iU68zBQ-1; Tue, 12 Jul 2022 12:17:49 -0400
X-MC-Unique: LZqbPCi_PCW3Nr9iU68zBQ-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F144E811E84;
        Tue, 12 Jul 2022 16:17:48 +0000 (UTC)
Received: from comp-core-i7-2640m-0182e6.redhat.com (unknown [10.40.208.6])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 7E302C04482;
        Tue, 12 Jul 2022 16:17:47 +0000 (UTC)
From:   Alexey Gladkov <legion@kernel.org>
To:     LKML <linux-kernel@vger.kernel.org>,
        Linux Containers <containers@lists.linux.dev>
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Christian Brauner <brauner@kernel.org>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Kees Cook <keescook@chromium.org>,
        Manfred Spraul <manfred@colorfullife.com>
Subject: [PATCH v1] sysctl: Allow change system v ipc sysctls inside ipc namespace
Date:   Tue, 12 Jul 2022 18:17:38 +0200
Message-Id: <54e6b6b1b430537748a7136e854923498443f78a.1657642613.git.legion@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW,
        SPF_HELO_NONE,SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Rootless containers are not allowed to modify kernel IPC parameters such
as kernel.msgmnb.

It seems to me that we can allow customization of these parameters if
the user has CAP_SYS_RESOURCE in that ipc namespace.

CAP_SYS_RESOURCE is already needed in order to overcome mqueue limits
(msg_max and msgsize_max).

Signed-off-by: Alexey Gladkov <legion@kernel.org>
---
 ipc/ipc_sysctl.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
index ef313ecfb53a..e79452867720 100644
--- a/ipc/ipc_sysctl.c
+++ b/ipc/ipc_sysctl.c
@@ -193,16 +193,19 @@ static int set_is_seen(struct ctl_table_set *set)
 static int ipc_permissions(struct ctl_table_header *head, struct ctl_table *table)
 {
 	int mode = table->mode;
-
-#ifdef CONFIG_CHECKPOINT_RESTORE
 	struct ipc_namespace *ns = current->nsproxy->ipc_ns;
 
+#ifdef CONFIG_CHECKPOINT_RESTORE
 	if (((table->data == &ns->ids[IPC_SEM_IDS].next_id) ||
 	     (table->data == &ns->ids[IPC_MSG_IDS].next_id) ||
 	     (table->data == &ns->ids[IPC_SHM_IDS].next_id)) &&
 	    checkpoint_restore_ns_capable(ns->user_ns))
 		mode = 0666;
+	else
 #endif
+	if (ns_capable(ns->user_ns, CAP_SYS_RESOURCE))
+		mode = 0666;
+
 	return mode;
 }
 
-- 
2.33.3