From: Greg Kroah-Hartman Date: Mon, 17 May 2021 12:06:03 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.4.120~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=19d70c9b8cfd153a591595a570167d557c8efcaf;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch --- diff --git a/queue-4.19/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch b/queue-4.19/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch new file mode 100644 index 00000000000..bf2afb52983 --- /dev/null +++ b/queue-4.19/netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch @@ -0,0 +1,51 @@ +From 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 Mon Sep 17 00:00:00 2001 +From: Jonathon Reinhart +Date: Mon, 12 Apr 2021 00:24:53 -0400 +Subject: netfilter: conntrack: Make global sysctls readonly in non-init netns + +From: Jonathon Reinhart + +commit 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 upstream. + +These sysctls point to global variables: +- NF_SYSCTL_CT_MAX (&nf_conntrack_max) +- NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max) +- NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user) + +Because their data pointers are not updated to point to per-netns +structures, they must be marked read-only in a non-init_net ns. +Otherwise, changes in any net namespace are reflected in (leaked into) +all other net namespaces. This problem has existed since the +introduction of net namespaces. + +The current logic marks them read-only only if the net namespace is +owned by an unprivileged user (other than init_user_ns). + +Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in +unprivileged namespaces") "exposes all sysctls even if the namespace is +unpriviliged." Since we need to mark them readonly in any case, we can +forego the unprivileged user check altogether. + +Fixes: d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces") +Signed-off-by: Jonathon Reinhart +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_standalone.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -594,8 +594,11 @@ static int nf_conntrack_standalone_init_ + if (net->user_ns != &init_user_ns) + table[0].procname = NULL; + +- if (!net_eq(&init_net, net)) ++ if (!net_eq(&init_net, net)) { ++ table[0].mode = 0444; + table[2].mode = 0444; ++ table[5].mode = 0444; ++ } + + net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table); + if (!net->ct.sysctl_header) diff --git a/queue-4.19/series b/queue-4.19/series index 48f57c2d34e..115662b174f 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -389,3 +389,4 @@ mips-avoid-divu-in-__div64_32-is-result-would-be-zero.patch mips-avoid-handcoded-divu-in-__div64_32-altogether.patch thermal-core-fair-share-lock-the-thermal-zone-while-looping-over-instances.patch kobject_uevent-remove-warning-in-init_uevent_argv.patch +netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch