linux/net
Jonathon Reinhart 31c4d2f160 net: Ensure net namespace isolation of sysctls
This adds an ensure_safe_net_sysctl() check during register_net_sysctl()
to validate that sysctl table entries for a non-init_net netns are
sufficiently isolated. To be netns-safe, an entry must adhere to at
least (and usually exactly) one of these rules:

1. It is marked read-only inside the netns.
2. Its data pointer does not point to kernel/module global data.

An entry which fails both of these checks is indicative of a bug,
whereby a child netns can affect global net sysctl values.

If such an entry is found, this code will issue a warning to the kernel
log, and force the entry to be read-only to prevent a leak.

To test, simply create a new netns:

    $ sudo ip netns add dummy

As it sits now, this patch will WARN for two sysctls which will be
addressed in a subsequent patch:
- /proc/sys/net/netfilter/nf_conntrack_max
- /proc/sys/net/netfilter/nf_conntrack_expect_max

Signed-off-by: Jonathon Reinhart <Jonathon.Reinhart@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-04-12 13:27:11 -07:00
..
6lowpan 6lowpan: Fix some typos in nhc_udp.c 2021-03-24 17:52:11 -07:00
9p net: 9p: Correct function names in the kerneldoc comments 2021-03-28 17:56:56 -07:00
802
8021q net: bridge: resolve forwarding path for VLAN tag actions in bridge devices 2021-03-24 12:48:38 -07:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-02-12 16:40:28 -08:00
atm net: atm: pppoatm: use new API for wakeup tasklet 2021-01-29 18:24:05 -08:00
ax25 net/ax25: Delete obsolete TODO file 2021-03-30 16:54:50 -07:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
bluetooth Bluetooth: Allow Microsoft extension to indicate curve validation 2021-04-08 12:26:34 +02:00
bpf bpf: selftests: Add kfunc_call test 2021-03-26 20:41:52 -07:00
bpfilter net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
bridge netfilter: ebtables: use net_generic infra 2021-04-06 00:34:52 +02:00
caif net: caif: Use netif_rx_any_context(). 2021-02-15 13:21:48 -08:00
can can: isotp: fix msg_namelen values depending on CAN_REQUIRED_SIZE 2021-03-29 09:51:43 +02:00
ceph net: ceph: Fix a typo in osdmap.c 2021-03-25 17:05:07 -07:00
core Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
dcb net: dcb: use obj-$(CONFIG_DCB) form in net/Makefile 2021-01-27 17:03:52 -08:00
dccp net: dccp: use net_generic storage 2021-04-09 16:34:56 -07:00
decnet net/decnet: Delete obsolete TODO file 2021-03-30 16:54:50 -07:00
dns_resolver net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
dsa Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
ethernet ethernet: avoid retpoline overhead on TEB (GENEVE, NvGRE, VxLAN) GRO 2021-03-18 19:51:12 -07:00
ethtool ethtool: wire in generic SFP module access 2021-04-11 16:34:56 -07:00
hsr Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
ieee802154 net: remove the new_ifindex argument from dev_change_net_namespace 2021-04-07 14:43:28 -07:00
ife net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
ipv4 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
ipv6 net: seg6: trivial fix of a spelling mistake in comment 2021-04-12 13:17:09 -07:00
iucv iucv: af_iucv.c: Couple of typo fixes 2021-03-28 17:31:13 -07:00
kcm kcm: kcmsock.c: Couple of typo fixes 2021-03-28 17:31:13 -07:00
key af_key: relax availability checks for skb size calculation 2021-01-04 10:05:50 +01:00
l2tp net: l2tp: Fix a typo 2021-03-22 13:17:49 -07:00
l3mdev l3mdev: Correct function names in the kerneldoc comments 2021-03-28 17:56:55 -07:00
lapb net: lapb: Make "lapb_t1timer_running" able to detect an already running timer 2021-03-23 14:14:50 -07:00
llc llc: llc_core.c: COuple of typo fixes 2021-03-28 17:31:13 -07:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
mac802154 net: mac802154: Fix general protection fault 2021-04-06 22:42:16 +02:00
mpls net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 2021-03-09 16:12:20 -08:00
mptcp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
ncsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
netfilter netfilter: conntrack: move ecache dwork to net_generic infra 2021-04-06 00:34:53 +02:00
netlabel netlabel: Correct function name netlbl_mgmt_add() in the kerneldoc comments 2021-03-28 17:56:55 -07:00
netlink mptcp: avoid lock_fast usage in accept path 2021-02-12 16:31:46 -08:00
netrom
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
nsh
openvswitch Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
packet net/packet: Fix a typo in af_packet.c 2021-03-24 17:52:11 -07:00
phonet
psample psample: Add additional metadata attributes 2021-03-14 15:00:43 -07:00
qrtr Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
rfkill rfkill: revert back to old userspace API by default 2021-04-08 10:14:45 +02:00
rose net: rose: Fix fall-through warnings for Clang 2021-03-10 12:45:15 -08:00
rxrpc rxrpc: Fix dependency on IPv6 in udp tunnel config 2021-02-12 16:42:05 -08:00
sched Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
smc net: smc: Remove repeated struct declaration 2021-04-01 15:52:38 -07:00
strparser
sunrpc Miscellaneous NFSD fixes for v5.12-rc. 2021-03-16 10:22:50 -07:00
switchdev net: bridge: propagate extack through switchdev_port_attr_set 2021-02-14 17:38:11 -08:00
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
tls skmsg: Extract __tcp_bpf_recvmsg() and tcp_bpf_wait_data() 2021-04-01 10:56:14 -07:00
unix af_unix: handle idmapped mounts 2021-01-24 14:27:18 +01:00
vmw_vsock net: vsock: Fix a typo 2021-03-28 17:52:51 -07:00
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
x25 af_x25.c: Fix a spello 2021-03-28 17:31:13 -07:00
xdp bpf, xdp: Restructure redirect actions 2021-03-10 01:06:34 +01:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
compat.c
devres.c
Kconfig net: add CONFIG_PCPU_DEV_REFCNT 2021-03-19 13:38:46 -07:00
Makefile net: l3mdev: use obj-$(CONFIG_NET_L3_MASTER_DEV) form in net/Makefile 2021-01-27 17:03:52 -08:00
socket.c net: Fix a misspell in socket.c 2021-03-25 16:56:27 -07:00
sysctl_net.c net: Ensure net namespace isolation of sysctls 2021-04-12 13:27:11 -07:00