Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1763314lqm; Fri, 3 May 2024 06:07:02 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXNs59nFuqcZqoF+iCRI1rhTcHGtd77hogkGZWHdZf0s+UsjPBwG043cGqbWGsc6ISN1lgB4beXbTp6ZbNogas+PdMmq9NU4Bd9EYyeAQ== X-Google-Smtp-Source: AGHT+IHImKn58752ebPKf8lfMUpqnfqUYJ5SN0bQ9Hq5Vg22iioIEdX1Om97j4/7SJcOWjIgkwB0 X-Received: by 2002:a50:ab13:0:b0:572:9eba:848a with SMTP id s19-20020a50ab13000000b005729eba848amr2131447edc.20.1714741621632; Fri, 03 May 2024 06:07:01 -0700 (PDT) Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id e18-20020aa7d7d2000000b00572b946c1d3si1495912eds.177.2024.05.03.06.07.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 May 2024 06:07:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-167670-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@ssi.bg header.s=ink header.b=YWJ7hn1K; arc=fail (body hash mismatch); spf=pass (google.com: domain of linux-kernel+bounces-167670-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-167670-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ssi.bg Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 7729E1F217C3 for ; Fri, 3 May 2024 13:07:00 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 44DFD15358F; Fri, 3 May 2024 13:06:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=ssi.bg header.i=@ssi.bg header.b="YWJ7hn1K" Received: from mg.ssi.bg (mg.ssi.bg [193.238.174.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0EED714267; Fri, 3 May 2024 13:06:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.238.174.37 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714741610; cv=none; b=QhIqr96/yqK3nTtq8JhGwHLRZ5gnp69NRnVK9qJKQLC6DJd4B5pxEUmySXWU3qi+a5yD9GzkZd6Rq9f9+NRnF2j/+Am7cm/f6rTNZ4W1H8V3Awtc5FU7oajrEA8rXOvVGnVmjvgXCk9WosEOgp45cw+7f03RlEI8dN6j4DlWwzE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714741610; c=relaxed/simple; bh=0kB9KsGXFOQAn9WaIfuv4jbNZroARw33YyK+RAm3BLQ=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=iBBw6vIIOdz1kARuHAGuu1Sy9o31forUoWfRPngd4ALGP1ZoCyUnJIxBEuYCnoGlhg1zBhQEeg1UCc5czjuUXm6AbWWeEAMLVh57OSqQKCBVNJR00r5aJj2ZbLitRhL49UoVMnGM0GMCCnWSTgD1MS8iHBoZqPkXO8hcLx4T0S8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ssi.bg; spf=pass smtp.mailfrom=ssi.bg; dkim=pass (1024-bit key) header.d=ssi.bg header.i=@ssi.bg header.b=YWJ7hn1K; arc=none smtp.client-ip=193.238.174.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ssi.bg Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ssi.bg Received: from mg.ssi.bg (localhost [127.0.0.1]) by mg.ssi.bg (Proxmox) with ESMTP id 88119A436; Fri, 3 May 2024 16:06:39 +0300 (EEST) Received: from ink.ssi.bg (ink.ssi.bg [193.238.174.40]) by mg.ssi.bg (Proxmox) with ESMTPS; Fri, 3 May 2024 16:06:38 +0300 (EEST) Received: from ja.ssi.bg (unknown [213.16.62.126]) by ink.ssi.bg (Postfix) with ESMTPSA id 3FFEA9003F2; Fri, 3 May 2024 16:06:34 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ssi.bg; s=ink; t=1714741595; bh=0kB9KsGXFOQAn9WaIfuv4jbNZroARw33YyK+RAm3BLQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=YWJ7hn1KFeLK3QcqPYFmkp0qdYuCvHjowC85pPDI6on/BDmmgNSTJV89+IcfPESoG pJso8GkiQ5c5wg5bPOuYW0fqAQLzoayqDo29LIAzn5ISYIXM1Fbdiu3UJRu/Qd1RPK EsDjDXG22jH0l8/7xId8pnT1nKHR3U4tigsLV8aM= Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by ja.ssi.bg (8.17.1/8.17.1) with ESMTP id 443D6Od9049696; Fri, 3 May 2024 16:06:25 +0300 Date: Fri, 3 May 2024 16:06:24 +0300 (EEST) From: Julian Anastasov To: Alexander Mikhalitsyn cc: horms@verge.net.au, netdev@vger.kernel.org, lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org, =?UTF-8?Q?St=C3=A9phane_Graber?= , Christian Brauner , Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal Subject: Re: [PATCH net-next v3 2/2] ipvs: allow some sysctls in non-init user namespaces In-Reply-To: <20240418145743.248109-2-aleksandr.mikhalitsyn@canonical.com> Message-ID: <8e70d6d3-6852-7b84-81b3-5d1a798f224f@ssi.bg> References: <20240418145743.248109-1-aleksandr.mikhalitsyn@canonical.com> <20240418145743.248109-2-aleksandr.mikhalitsyn@canonical.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="-1463811672-1490811829-1714741586=:48180" This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---1463811672-1490811829-1714741586=:48180 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Hello, On Thu, 18 Apr 2024, Alexander Mikhalitsyn wrote: > Let's make all IPVS sysctls writtable even when > network namespace is owned by non-initial user namespace. > > Let's make a few sysctls to be read-only for non-privileged users: > - sync_qlen_max > - sync_sock_size > - run_estimation > - est_cpulist > - est_nice > > I'm trying to be conservative with this to prevent > introducing any security issues in there. Maybe, > we can allow more sysctls to be writable, but let's > do this on-demand and when we see real use-case. > > This patch is motivated by user request in the LXC > project [1]. Having this can help with running some > Kubernetes [2] or Docker Swarm [3] workloads inside the system > containers. > > Link: https://github.com/lxc/lxc/issues/4278 [1] > Link: https://github.com/kubernetes/kubernetes/blob/b722d017a34b300a2284b890448e5a605f21d01e/pkg/proxy/ipvs/proxier.go#L103 [2] > Link: https://github.com/moby/libnetwork/blob/3797618f9a38372e8107d8c06f6ae199e1133ae8/osl/namespace_linux.go#L682 [3] > > Cc: Stéphane Graber > Cc: Christian Brauner > Cc: Julian Anastasov > Cc: Simon Horman > Cc: Pablo Neira Ayuso > Cc: Jozsef Kadlecsik > Cc: Florian Westphal > Signed-off-by: Alexander Mikhalitsyn > --- > net/netfilter/ipvs/ip_vs_ctl.c | 21 +++++++++++++++------ > 1 file changed, 15 insertions(+), 6 deletions(-) > > diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c > index 32be24f0d4e4..c3ba71aa2654 100644 > --- a/net/netfilter/ipvs/ip_vs_ctl.c > +++ b/net/netfilter/ipvs/ip_vs_ctl.c .. > @@ -4284,12 +4285,6 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs) > tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL); > if (tbl == NULL) > return -ENOMEM; > - > - /* Don't export sysctls to unprivileged users */ > - if (net->user_ns != &init_user_ns) { > - tbl[0].procname = NULL; > - ctl_table_size = 0; > - } > } else > tbl = vs_vars; > /* Initialize sysctl defaults */ Sorry but you have to send v4 because above if-block was changed with net-next commit 635470eb0aa7 from today... Regards -- Julian Anastasov ---1463811672-1490811829-1714741586=:48180--