From ee90fa45f7eecbdcc040ef8fd56b9c2dd3a4ddd7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 17 May 2021 14:05:35 +0200 Subject: [PATCH] 4.9-stable patches added patches: netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch --- ...l-sysctls-readonly-in-non-init-netns.patch | 51 +++++++++++++++++++ queue-4.9/series | 1 + 2 files changed, 52 insertions(+) create mode 100644 queue-4.9/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch diff --git a/queue-4.9/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch b/queue-4.9/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch new file mode 100644 index 00000000000..e56683fbf5d --- /dev/null +++ b/queue-4.9/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch @@ -0,0 +1,51 @@ +From 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 Mon Sep 17 00:00:00 2001 +From: Jonathon Reinhart +Date: Mon, 12 Apr 2021 00:24:53 -0400 +Subject: netfilter: conntrack: Make global sysctls readonly in non-init netns + +From: Jonathon Reinhart + +commit 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 upstream. + +These sysctls point to global variables: +- NF_SYSCTL_CT_MAX (&nf_conntrack_max) +- NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max) +- NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user) + +Because their data pointers are not updated to point to per-netns +structures, they must be marked read-only in a non-init_net ns. +Otherwise, changes in any net namespace are reflected in (leaked into) +all other net namespaces. This problem has existed since the +introduction of net namespaces. + +The current logic marks them read-only only if the net namespace is +owned by an unprivileged user (other than init_user_ns). + +Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in +unprivileged namespaces") "exposes all sysctls even if the namespace is +unpriviliged." Since we need to mark them readonly in any case, we can +forego the unprivileged user check altogether. + +Fixes: d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces") +Signed-off-by: Jonathon Reinhart +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_standalone.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -551,8 +551,11 @@ static int nf_conntrack_standalone_init_ + if (net->user_ns != &init_user_ns) + table[0].procname = NULL; + +- if (!net_eq(&init_net, net)) ++ if (!net_eq(&init_net, net)) { ++ table[0].mode = 0444; + table[2].mode = 0444; ++ table[5].mode = 0444; ++ } + + net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table); + if (!net->ct.sysctl_header) diff --git a/queue-4.9/series b/queue-4.9/series index b306c69aa47..5b6a65b2dbe 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -219,3 +219,4 @@ mips-avoid-handcoded-divu-in-__div64_32-altogether.patch thermal-core-fair-share-lock-the-thermal-zone-while-looping-over-instances.patch dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch kobject_uevent-remove-warning-in-init_uevent_argv.patch +netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch -- 2.47.3