On 11/3/21 4:39 AM, David Ahern wrote:
On 11/1/21 10:34 AM, Leonard Crestez wrote:
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 97eb54774924..cc34de6e4817 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -17,10 +17,11 @@
#include <net/udp.h>
#include <net/cipso_ipv4.h>
#include <net/ping.h>
#include <net/protocol.h>
#include <net/netevent.h>
+#include <net/tcp_authopt.h>
static int two = 2;
static int three __maybe_unused = 3;
static int four = 4;
static int thousand = 1000;
@@ -583,10 +584,19 @@ static struct ctl_table ipv4_table[] = {
.mode = 0644,
.proc_handler = proc_douintvec_minmax,
.extra1 = &sysctl_fib_sync_mem_min,
.extra2 = &sysctl_fib_sync_mem_max,
},
+#ifdef CONFIG_TCP_AUTHOPT
+ {
+ .procname = "tcp_authopt",
+ .data = &sysctl_tcp_authopt,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
Just add it to the namespace set, and this could be a u8 (try to plug a
hole if possible) with min/max specified:
.maxlen = sizeof(u8),
.mode = 0644,
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE
see icmp_echo_enable_probe as an example. And if you are not going to
clean up when toggled off, you need a handler that tells the user it can
not be disabled by erroring out on attempts to disable it.
This is deliberately per-system because the goal is to avoid possible
local privilege escalations by reducing the attack surface. Even the
smallest flaw could be exploited by a malicious application establishing
an authenticated connection on loopback.
Applications running in containers frequently have full access to
sysctls so making this per-namespace would defeat the original purpose.
I can't think of any reason to prevent using this feature at the
namespace level, it has no interesting effects outside TCP connections
for which it is enabled.
I also believe that as similar sysctl would be useful for TCP-MD5.
You're right about adding additional prints.
--
Regards,
Leonard