]> git.baikalelectronics.ru Git - kernel.git/commitdiff
netfilter: ipvs: make global sysctl readonly in non-init netns
authorAntoine Tenart <atenart@kernel.org>
Tue, 12 Oct 2021 14:54:37 +0000 (16:54 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 27 Oct 2021 07:54:25 +0000 (09:54 +0200)
[ Upstream commit 174c376278949c44aad89c514a6b5db6cee8db59 ]

Because the data pointer of net/ipv4/vs/debug_level is not updated per
netns, it must be marked as read-only in non-init netns.

Fixes: 9f010cc4336e ("IPVS: netns, final patch enabling network name space.")
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/netfilter/ipvs/ip_vs_ctl.c

index f93fa0e210979af47bc0115586c6caeb2e50967c..07242503d74d388613f7ea0dc0819971f5d9577f 100644 (file)
@@ -4047,6 +4047,11 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
        tbl[idx++].data = &ipvs->sysctl_conn_reuse_mode;
        tbl[idx++].data = &ipvs->sysctl_schedule_icmp;
        tbl[idx++].data = &ipvs->sysctl_ignore_tunneled;
+#ifdef CONFIG_IP_VS_DEBUG
+       /* Global sysctls must be ro in non-init netns */
+       if (!net_eq(net, &init_net))
+               tbl[idx++].mode = 0444;
+#endif
 
        ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);
        if (ipvs->sysctl_hdr == NULL) {