4.9-stable patches

added patches:
	netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch

diff --git a/queue-4.9/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch b/queue-4.9/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch
new file mode 100644 (file)
index 0000000..e56683f
--- /dev/null
+++ b/queue-4.9/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch
@@ -0,0 +1,51 @@
+From 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 Mon Sep 17 00:00:00 2001
+From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
+Date: Mon, 12 Apr 2021 00:24:53 -0400
+Subject: netfilter: conntrack: Make global sysctls readonly in non-init netns
+
+From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
+
+commit 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 upstream.
+
+These sysctls point to global variables:
+- NF_SYSCTL_CT_MAX (&nf_conntrack_max)
+- NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max)
+- NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user)
+
+Because their data pointers are not updated to point to per-netns
+structures, they must be marked read-only in a non-init_net ns.
+Otherwise, changes in any net namespace are reflected in (leaked into)
+all other net namespaces. This problem has existed since the
+introduction of net namespaces.
+
+The current logic marks them read-only only if the net namespace is
+owned by an unprivileged user (other than init_user_ns).
+
+Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in
+unprivileged namespaces") "exposes all sysctls even if the namespace is
+unpriviliged." Since we need to mark them readonly in any case, we can
+forego the unprivileged user check altogether.
+
+Fixes: d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces")
+Signed-off-by: Jonathon Reinhart <Jonathon.Reinhart@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_standalone.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -551,8 +551,11 @@ static int nf_conntrack_standalone_init_
+       if (net->user_ns != &init_user_ns)
+               table[0].procname = NULL;
+ 
+-      if (!net_eq(&init_net, net))
++      if (!net_eq(&init_net, net)) {
++              table[0].mode = 0444;
+               table[2].mode = 0444;
++              table[5].mode = 0444;
++      }
+ 
+       net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table);
+       if (!net->ct.sysctl_header)

diff --git a/queue-4.9/series b/queue-4.9/series
index b306c69aa47069d4092b2494c06b1f7b2d1d5a81..5b6a65b2dbe36bef438bf7af4cca1da26f5b74b7 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -219,3 +219,4 @@ mips-avoid-handcoded-divu-in-__div64_32-altogether.patch
 thermal-core-fair-share-lock-the-thermal-zone-while-looping-over-instances.patch
 dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch
 kobject_uevent-remove-warning-in-init_uevent_argv.patch
+netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch