Re: [PATCH] sysctl: fix permission check while owner isn't GLOBAL_ROOT_UID
From: Christian Brauner
Date: Mon Jun 28 2021 - 08:17:39 EST
On Fri, Jun 25, 2021 at 01:33:38AM -0700, menglong8.dong@xxxxxxxxx wrote:
> From: Yang Yang <yang.yang29@xxxxxxxxxx>
>
> With user namespace enabled, root in container can't modify
> /proc/sys/net/ipv4/ip_forward. While /proc/sys/net/ipv4/ip_forward
> belongs to root and mode is 644. Since root in container may
> be non-root in host, but test_perm() doesn't consider about it.
I'm confused about what the actual problem is tbh:
root@h3:~# stat -c "%A %a %n" /proc/sys/net/ipv4/ip_forward
-rw-r--r-- 644 /proc/sys/net/ipv4/ip_forward
root@h3:~# echo 0 > /proc/sys/net/ipv4/ip_forward
root@h3:~# cat /proc/sys/net/ipv4/ip_forward
0
root@h3:~# cat /proc/self/uid_map
0 100000 1000000000
Also, this patch changes the security requirements for all sysctls which
is unfortunately unacceptable.