On Mon, May 17, 2021 at 09:47:09AM -0400, Jonathon Reinhart wrote:
> On Mon, May 17, 2021 at 8:06 AM <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> > The current logic marks them read-only only if the net namespace is
> > owned by an unprivileged user (other than init_user_ns).
> >
> > Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in
> > unprivileged namespaces") "exposes all sysctls even if the namespace is
> > unpriviliged." Since we need to mark them readonly in any case, we can
> > forego the unprivileged user check altogether.
> >
> > Fixes: d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces")
>
> Greg, perhaps it's not a big deal, but the commit message seems to
> have been taken from the original upstream commit, rather than from my
> 5.4 patch submission. The above verbiage doesn't apply to 5.4; none of
> the user namespace checks existed yet on 5.4, and that logic isn't
> present or affected by the patch. Commit d0febd81ae77 was added in 5.6
> rc5.
>
> The actual patch looks fine though.
I'd prefer to take the original commit message, that way it's easier to
track over time.
thanks,
greg k-h
