Re: [PATCH] sysctl: fix permission check while owner isn't GLOBAL_ROOT_UID

From: Christian Brauner
Date: Mon Jun 28 2021 - 08:17:39 EST


On Fri, Jun 25, 2021 at 01:33:38AM -0700, menglong8.dong@xxxxxxxxx wrote:
> From: Yang Yang <yang.yang29@xxxxxxxxxx>
>
> With user namespace enabled, root in container can't modify
> /proc/sys/net/ipv4/ip_forward. While /proc/sys/net/ipv4/ip_forward
> belongs to root and mode is 644. Since root in container may
> be non-root in host, but test_perm() doesn't consider about it.

I'm confused about what the actual problem is tbh:

root@h3:~# stat -c "%A %a %n" /proc/sys/net/ipv4/ip_forward
-rw-r--r-- 644 /proc/sys/net/ipv4/ip_forward

root@h3:~# echo 0 > /proc/sys/net/ipv4/ip_forward

root@h3:~# cat /proc/sys/net/ipv4/ip_forward
0

root@h3:~# cat /proc/self/uid_map
0 100000 1000000000

Also, this patch changes the security requirements for all sysctls which
is unfortunately unacceptable.