summaryrefslogtreecommitdiff
path: root/net/sysctl_net.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/sysctl_net.c')
-rw-r--r--net/sysctl_net.c103
1 files changed, 84 insertions, 19 deletions
diff --git a/net/sysctl_net.c b/net/sysctl_net.c
index 9bc6db04be3e..19e8048241ba 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-only
/* -*- linux-c -*-
* sysctl_net.c: sysctl interface to net subsystem.
*
@@ -27,9 +28,9 @@
#endif
static struct ctl_table_set *
-net_ctl_header_lookup(struct ctl_table_root *root, struct nsproxy *namespaces)
+net_ctl_header_lookup(struct ctl_table_root *root)
{
- return &namespaces->net_ns->sysctls;
+ return &current->nsproxy->net_ns->sysctls;
}
static int is_seen(struct ctl_table_set *set)
@@ -39,29 +40,39 @@ static int is_seen(struct ctl_table_set *set)
/* Return standard mode bits for table entry. */
static int net_ctl_permissions(struct ctl_table_header *head,
- struct ctl_table *table)
+ const struct ctl_table *table)
{
struct net *net = container_of(head->set, struct net, sysctls);
- kuid_t root_uid = make_kuid(net->user_ns, 0);
- kgid_t root_gid = make_kgid(net->user_ns, 0);
/* Allow network administrator to have same access as root. */
- if (ns_capable(net->user_ns, CAP_NET_ADMIN) ||
- uid_eq(root_uid, current_uid())) {
+ if (ns_capable_noaudit(net->user_ns, CAP_NET_ADMIN)) {
int mode = (table->mode >> 6) & 7;
return (mode << 6) | (mode << 3) | mode;
}
- /* Allow netns root group to have the same access as the root group */
- if (gid_eq(root_gid, current_gid())) {
- int mode = (table->mode >> 3) & 7;
- return (mode << 3) | mode;
- }
+
return table->mode;
}
+static void net_ctl_set_ownership(struct ctl_table_header *head,
+ kuid_t *uid, kgid_t *gid)
+{
+ struct net *net = container_of(head->set, struct net, sysctls);
+ kuid_t ns_root_uid;
+ kgid_t ns_root_gid;
+
+ ns_root_uid = make_kuid(net->user_ns, 0);
+ if (uid_valid(ns_root_uid))
+ *uid = ns_root_uid;
+
+ ns_root_gid = make_kgid(net->user_ns, 0);
+ if (gid_valid(ns_root_gid))
+ *gid = ns_root_gid;
+}
+
static struct ctl_table_root net_sysctl_root = {
.lookup = net_ctl_header_lookup,
.permissions = net_ctl_permissions,
+ .set_ownership = net_ctl_set_ownership,
};
static int __net_init sysctl_net_init(struct net *net)
@@ -89,23 +100,77 @@ __init int net_sysctl_init(void)
* registering "/proc/sys/net" as an empty directory not in a
* network namespace.
*/
- net_header = register_sysctl("net", empty);
+ net_header = register_sysctl_sz("net", empty, 0);
if (!net_header)
goto out;
ret = register_pernet_subsys(&sysctl_pernet_ops);
if (ret)
- goto out;
- register_sysctl_root(&net_sysctl_root);
+ goto out1;
out:
return ret;
+out1:
+ unregister_sysctl_table(net_header);
+ net_header = NULL;
+ goto out;
}
-struct ctl_table_header *register_net_sysctl(struct net *net,
- const char *path, struct ctl_table *table)
+/* Verify that sysctls for non-init netns are safe by either:
+ * 1) being read-only, or
+ * 2) having a data pointer which points outside of the global kernel/module
+ * data segment, and rather into the heap where a per-net object was
+ * allocated.
+ */
+static void ensure_safe_net_sysctl(struct net *net, const char *path,
+ struct ctl_table *table, size_t table_size)
{
- return __register_sysctl_table(&net->sysctls, path, table);
+ struct ctl_table *ent;
+
+ pr_debug("Registering net sysctl (net %p): %s\n", net, path);
+ ent = table;
+ for (size_t i = 0; i < table_size; ent++, i++) {
+ unsigned long addr;
+ const char *where;
+
+ pr_debug(" procname=%s mode=%o proc_handler=%ps data=%p\n",
+ ent->procname, ent->mode, ent->proc_handler, ent->data);
+
+ /* If it's not writable inside the netns, then it can't hurt. */
+ if ((ent->mode & 0222) == 0) {
+ pr_debug(" Not writable by anyone\n");
+ continue;
+ }
+
+ /* Where does data point? */
+ addr = (unsigned long)ent->data;
+ if (is_module_address(addr))
+ where = "module";
+ else if (is_kernel_core_data(addr))
+ where = "kernel";
+ else
+ continue;
+
+ /* If it is writable and points to kernel/module global
+ * data, then it's probably a netns leak.
+ */
+ WARN(1, "sysctl %s/%s: data points to %s global data: %ps\n",
+ path, ent->procname, where, ent->data);
+
+ /* Make it "safe" by dropping writable perms */
+ ent->mode &= ~0222;
+ }
+}
+
+struct ctl_table_header *register_net_sysctl_sz(struct net *net,
+ const char *path,
+ struct ctl_table *table,
+ size_t table_size)
+{
+ if (!net_eq(net, &init_net))
+ ensure_safe_net_sysctl(net, path, table, table_size);
+
+ return __register_sysctl_table(&net->sysctls, path, table, table_size);
}
-EXPORT_SYMBOL_GPL(register_net_sysctl);
+EXPORT_SYMBOL_GPL(register_net_sysctl_sz);
void unregister_net_sysctl_table(struct ctl_table_header *header)
{
generated by cgit (git 2.34.1) at 2025-12-22 00:22:41 +0000