On 11/1/21 16:34, Leonard Crestez wrote: > This is mainly intended to protect against local privilege escalations > through a rarely used feature so it is deliberately not namespaced. > > Enforcement is only at the setsockopt level, this should be enough to > ensure that the tcp_authopt_needed static key never turns on. > > No effort is made to handle disabling when the feature is already in > use. > > Signed-off-by: Leonard Crestez <cdleonard@xxxxxxxxx> > --- [..] > diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c > index 5e80e5e5e36e..7c49dcce7d24 100644 > --- a/net/ipv4/tcp_authopt.c > +++ b/net/ipv4/tcp_authopt.c > @@ -3,10 +3,15 @@ > #include <linux/kernel.h> > #include <net/tcp.h> > #include <net/tcp_authopt.h> > #include <crypto/hash.h> > > +/* This is mainly intended to protect against local privilege escalations through > + * a rarely used feature so it is deliberately not namespaced. > + */ > +int sysctl_tcp_authopt; Could you add pr_warn_once() for setsockopt() without this set, so that it's visible in dmesg for a user that gets -EPERM. Thanks, Dmitry