Re: [PATCH] sysctl: fix permission check while owner isn't GLOBAL_ROOT_UID

From: Christian Brauner
Date: Mon Jun 28 2021 - 08:17:39 EST

Next message: Vincent Guittot: "Re: [PATCH V3 0/4] cpufreq: cppc: Add support for frequency invariance"
Previous message: Arend van Spriel: "Re: [PATCH] brcmfmac: use separate firmware for 43430 revision 2"
In reply to: menglong8 . dong: "[PATCH] sysctl: fix permission check while owner isn't GLOBAL_ROOT_UID"
Next in thread: Christian Brauner: "Re: [PATCH] sysctl: fix permission check while owner isn't GLOBAL_ROOT_UID"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 25, 2021 at 01:33:38AM -0700, menglong8.dong@xxxxxxxxx wrote:
> From: Yang Yang <yang.yang29@xxxxxxxxxx>
>
> With user namespace enabled, root in container can't modify
> /proc/sys/net/ipv4/ip_forward. While /proc/sys/net/ipv4/ip_forward
> belongs to root and mode is 644. Since root in container may
> be non-root in host, but test_perm() doesn't consider about it.

I'm confused about what the actual problem is tbh:

root@h3:~# stat -c "%A %a %n" /proc/sys/net/ipv4/ip_forward
-rw-r--r-- 644 /proc/sys/net/ipv4/ip_forward

root@h3:~# echo 0 > /proc/sys/net/ipv4/ip_forward

root@h3:~# cat /proc/sys/net/ipv4/ip_forward
0

root@h3:~# cat /proc/self/uid_map
0 100000 1000000000

Also, this patch changes the security requirements for all sysctls which
is unfortunately unacceptable.

Next message: Vincent Guittot: "Re: [PATCH V3 0/4] cpufreq: cppc: Add support for frequency invariance"
Previous message: Arend van Spriel: "Re: [PATCH] brcmfmac: use separate firmware for 43430 revision 2"
In reply to: menglong8 . dong: "[PATCH] sysctl: fix permission check while owner isn't GLOBAL_ROOT_UID"
Next in thread: Christian Brauner: "Re: [PATCH] sysctl: fix permission check while owner isn't GLOBAL_ROOT_UID"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]