From 9e6d84b0648bd2f0c05e0111c279693b2f134bad Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 17 May 2021 14:06:18 +0200 Subject: [PATCH] 5.4-stable patches added patches: netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch --- ...l-sysctls-readonly-in-non-init-netns.patch | 51 +++++++++++++++++++ queue-5.4/series | 1 + 2 files changed, 52 insertions(+) create mode 100644 queue-5.4/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch diff --git a/queue-5.4/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch b/queue-5.4/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch new file mode 100644 index 00000000000..13fe81a0136 --- /dev/null +++ b/queue-5.4/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch @@ -0,0 +1,51 @@ +From 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 Mon Sep 17 00:00:00 2001 +From: Jonathon Reinhart +Date: Mon, 12 Apr 2021 00:24:53 -0400 +Subject: netfilter: conntrack: Make global sysctls readonly in non-init netns + +From: Jonathon Reinhart + +commit 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 upstream. + +These sysctls point to global variables: +- NF_SYSCTL_CT_MAX (&nf_conntrack_max) +- NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max) +- NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user) + +Because their data pointers are not updated to point to per-netns +structures, they must be marked read-only in a non-init_net ns. +Otherwise, changes in any net namespace are reflected in (leaked into) +all other net namespaces. This problem has existed since the +introduction of net namespaces. + +The current logic marks them read-only only if the net namespace is +owned by an unprivileged user (other than init_user_ns). + +Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in +unprivileged namespaces") "exposes all sysctls even if the namespace is +unpriviliged." Since we need to mark them readonly in any case, we can +forego the unprivileged user check altogether. + +Fixes: d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces") +Signed-off-by: Jonathon Reinhart +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_standalone.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -1071,8 +1071,11 @@ static int nf_conntrack_standalone_init_ + #endif + } + +- if (!net_eq(&init_net, net)) ++ if (!net_eq(&init_net, net)) { ++ table[NF_SYSCTL_CT_MAX].mode = 0444; ++ table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; + table[NF_SYSCTL_CT_BUCKETS].mode = 0444; ++ } + + net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table); + if (!net->ct.sysctl_header) diff --git a/queue-5.4/series b/queue-5.4/series index 949fe62b225..1eb1679089e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -135,3 +135,4 @@ arm-9020-1-mm-use-correct-section-size-macro-to-describe-the-fdt-virtual-address arm-9027-1-head.s-explicitly-map-dt-even-if-it-lives-in-the-first-physical-section.patch usb-typec-tcpm-fix-error-while-calculating-pps-out-values.patch kobject_uevent-remove-warning-in-init_uevent_argv.patch +netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch -- 2.47.3