On Mon, Dec 06, 2021 at 04:45:20PM -0800, Jakub Kicinski wrote: > On Fri, 3 Dec 2021 03:28:15 +0000 cgel.zte@xxxxxxxxx wrote: > > From: xu xin <xu.xin16@xxxxxxxxxx> > > > > Enabled sysctls include the followings: > > 1. net/ipv4/neigh/<if>/* > > 2. net/ipv6/neigh/<if>/* > > 3. net/ieee802154/6lowpan/* > > 4. net/ipv6/route/* > > 5. net/ipv4/vs/* > > 6. net/unix/* > > 7. net/core/xfrm_* > > > > In practical work, some userns with root privilege have needs to adjust > > these sysctls in their own netns, but limited just because they are not > > init user_ns, even if they are given root privilege by docker -privilege. > > You need to justify why removing these checks is safe. It sounds like > you're only describing why having the permissions is problematic, which > is fair but not sufficient to just remove them. > Hi, Jakub My patch is a little radical. I just saw Eric's previous reply to Alexander(https://lore.kernel.org/all/87pmsqyuqy.fsf@disp2133/). These were disabled because out of an abundance of caution. My original intention is to enable part of syscyls about neighbor which I think was safe, but I will try to figure out which of these sysctls are safe to be enabled. > > Reported-by: xu xin <xu.xin16@xxxxxxxxxx> > > Tested-by: xu xin <xu.xin16@xxxxxxxxxx> > > These tags are superfluous for the author of the patch. > Ok. thank you to correct me. > > Signed-off-by: xu xin <xu.xin16@xxxxxxxxxx> > > --- > > net/core/neighbour.c | 4 ---- > > net/ieee802154/6lowpan/reassembly.c | 4 ---- > > net/ipv6/route.c | 4 ---- > > net/netfilter/ipvs/ip_vs_ctl.c | 4 ---- > > net/netfilter/ipvs/ip_vs_lblc.c | 4 ---- > > net/netfilter/ipvs/ip_vs_lblcr.c | 3 --- > > net/unix/sysctl_net_unix.c | 4 ---- > > net/xfrm/xfrm_sysctl.c | 4 ---- > > 8 files changed, 31 deletions(-)
