Re: [PATCH] sysctl: fix permission check while owner isn't GLOBAL_ROOT_UID

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Jun 25, 2021 at 01:33:38AM -0700, menglong8.dong@xxxxxxxxx wrote:
> From: Yang Yang <yang.yang29@xxxxxxxxxx>
> 
> With user namespace enabled, root in container can't modify
> /proc/sys/net/ipv4/ip_forward. While /proc/sys/net/ipv4/ip_forward
> belongs to root and mode is 644. Since root in container may
> be non-root in host, but test_perm() doesn't consider about it.

I'm confused about what the actual problem is tbh:

root@h3:~# stat -c "%A %a %n" /proc/sys/net/ipv4/ip_forward
-rw-r--r-- 644 /proc/sys/net/ipv4/ip_forward

root@h3:~# echo 0 > /proc/sys/net/ipv4/ip_forward

root@h3:~# cat /proc/sys/net/ipv4/ip_forward
0

root@h3:~# cat /proc/self/uid_map 
         0     100000 1000000000

Also, this patch changes the security requirements for all sysctls which
is unfortunately unacceptable.
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux