5.4-stable patches

added patches:
	netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch

diff --git a/queue-5.4/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch b/queue-5.4/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch
new file mode 100644 (file)
index 0000000..13fe81a
--- /dev/null
+++ b/queue-5.4/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch
@@ -0,0 +1,51 @@
+From 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 Mon Sep 17 00:00:00 2001
+From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
+Date: Mon, 12 Apr 2021 00:24:53 -0400
+Subject: netfilter: conntrack: Make global sysctls readonly in non-init netns
+
+From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
+
+commit 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 upstream.
+
+These sysctls point to global variables:
+- NF_SYSCTL_CT_MAX (&nf_conntrack_max)
+- NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max)
+- NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user)
+
+Because their data pointers are not updated to point to per-netns
+structures, they must be marked read-only in a non-init_net ns.
+Otherwise, changes in any net namespace are reflected in (leaked into)
+all other net namespaces. This problem has existed since the
+introduction of net namespaces.
+
+The current logic marks them read-only only if the net namespace is
+owned by an unprivileged user (other than init_user_ns).
+
+Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in
+unprivileged namespaces") "exposes all sysctls even if the namespace is
+unpriviliged." Since we need to mark them readonly in any case, we can
+forego the unprivileged user check altogether.
+
+Fixes: d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces")
+Signed-off-by: Jonathon Reinhart <Jonathon.Reinhart@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_standalone.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -1071,8 +1071,11 @@ static int nf_conntrack_standalone_init_
+ #endif
+       }
+ 
+-      if (!net_eq(&init_net, net))
++      if (!net_eq(&init_net, net)) {
++              table[NF_SYSCTL_CT_MAX].mode = 0444;
++              table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444;
+               table[NF_SYSCTL_CT_BUCKETS].mode = 0444;
++      }
+ 
+       net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table);
+       if (!net->ct.sysctl_header)

diff --git a/queue-5.4/series b/queue-5.4/series
index 949fe62b2256421e1f4940b433d3d608acee5e57..1eb1679089e6f272c317d351f430c957cf339d9b 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -135,3 +135,4 @@ arm-9020-1-mm-use-correct-section-size-macro-to-describe-the-fdt-virtual-address
 arm-9027-1-head.s-explicitly-map-dt-even-if-it-lives-in-the-first-physical-section.patch
 usb-typec-tcpm-fix-error-while-calculating-pps-out-values.patch
 kobject_uevent-remove-warning-in-init_uevent_argv.patch
+netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch