[PATCH net-next 1/2] net: make net.core.{r,w}mem_{default,max} namespaced

From: Matteo Croce
Date: Tue May 28 2024 - 08:12:20 EST

Next message: Arnd Bergmann: "[PATCH] kdb: address -Wformat-security warnings"
Previous message: Matteo Croce: "[PATCH net-next 0/2] net: visibility of memory limits in netns"
In reply to: Matteo Croce: "[PATCH net-next 0/2] net: visibility of memory limits in netns"
Next in thread: Shakeel Butt: "Re: [PATCH net-next 1/2] net: make net.core.{r,w}mem_{default,max} namespaced"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following sysctl are global and can't be read from a netns:

net.core.rmem_default
net.core.rmem_max
net.core.wmem_default
net.core.wmem_max

Make the following sysctl parameters available readonly from within a
network namespace, allowing a container to read them.

Signed-off-by: Matteo Croce <teknoraver@xxxxxxxx>
---
net/core/sysctl_net_core.c | 75 +++++++++++++++++++++-----------------
1 file changed, 42 insertions(+), 33 deletions(-)

diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index c9fb9ad87485..2079000691e2 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -382,38 +382,6 @@ proc_dolongvec_minmax_bpf_restricted(struct ctl_table *table, int write,
#endif

static struct ctl_table net_core_table[] = {
- {
- .procname = "wmem_max",
- .data = &sysctl_wmem_max,
- .maxlen = sizeof(int),
- .mode = 0644,
- .proc_handler = proc_dointvec_minmax,
- .extra1 = &min_sndbuf,
- },
- {
- .procname = "rmem_max",
- .data = &sysctl_rmem_max,
- .maxlen = sizeof(int),
- .mode = 0644,
- .proc_handler = proc_dointvec_minmax,
- .extra1 = &min_rcvbuf,
- },
- {
- .procname = "wmem_default",
- .data = &sysctl_wmem_default,
- .maxlen = sizeof(int),
- .mode = 0644,
- .proc_handler = proc_dointvec_minmax,
- .extra1 = &min_sndbuf,
- },
- {
- .procname = "rmem_default",
- .data = &sysctl_rmem_default,
- .maxlen = sizeof(int),
- .mode = 0644,
- .proc_handler = proc_dointvec_minmax,
- .extra1 = &min_rcvbuf,
- },
{
.procname = "mem_pcpu_rsv",
.data = &net_hotdata.sysctl_mem_pcpu_rsv,
@@ -697,6 +665,41 @@ static struct ctl_table netns_core_table[] = {
.extra2 = SYSCTL_ONE,
.proc_handler = proc_dou8vec_minmax,
},
+ /* sysctl_core_net_init() will set the values after this
+ * to readonly in network namespaces
+ */
+ {
+ .procname = "wmem_max",
+ .data = &sysctl_wmem_max,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &min_sndbuf,
+ },
+ {
+ .procname = "rmem_max",
+ .data = &sysctl_rmem_max,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &min_rcvbuf,
+ },
+ {
+ .procname = "wmem_default",
+ .data = &sysctl_wmem_default,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &min_sndbuf,
+ },
+ {
+ .procname = "rmem_default",
+ .data = &sysctl_rmem_default,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &min_rcvbuf,
+ },
};

static int __init fb_tunnels_only_for_init_net_sysctl_setup(char *str)
@@ -724,8 +727,14 @@ static __net_init int sysctl_core_net_init(struct net *net)
if (tbl == NULL)
goto err_dup;

- for (i = 0; i < table_size; ++i)
+ for (i = 0; i < table_size; ++i) {
+ if (tbl[i].data == &sysctl_wmem_max)
+ break;
+
tbl[i].data += (char *)net - (char *)&init_net;
+ }
+ for (; i < table_size; ++i)
+ tbl[i].mode &= ~0222;
}

net->core.sysctl_hdr = register_net_sysctl_sz(net, "net/core", tbl, table_size);
--
2.45.1

Next message: Arnd Bergmann: "[PATCH] kdb: address -Wformat-security warnings"
Previous message: Matteo Croce: "[PATCH net-next 0/2] net: visibility of memory limits in netns"
In reply to: Matteo Croce: "[PATCH net-next 0/2] net: visibility of memory limits in netns"
Next in thread: Shakeel Butt: "Re: [PATCH net-next 1/2] net: make net.core.{r,w}mem_{default,max} namespaced"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]