From: Krister Johansen <kjlx@templeofstupid•com>
To: Eric Dumazet <eric.dumazet@gmail•com>
Cc: Krister Johansen <kjlx@templeofstupid•com>,
Stephen Hemminger <stephen@networkplumber•org>,
"David S. Miller" <davem@davemloft•net>,
netdev@vger•kernel.org
Subject: Re: [PATCH v2 net-next] Introduce a sysctl that modifies the value of PROT_SOCK.
Date: Fri, 13 Jan 2017 16:11:38 -0800 [thread overview]
Message-ID: <20170114001138.GC3094@templeofstupid.com> (raw)
In-Reply-To: <1484231997.15816.36.camel@edumazet-glaptop3.roam.corp.google.com>
On Thu, Jan 12, 2017 at 06:39:57AM -0800, Eric Dumazet wrote:
> On Wed, 2017-01-11 at 22:52 -0800, Krister Johansen wrote:
> > Add net.ipv4.ip_unprotected_port_start, which is a per namespace sysctl
> > that denotes the first unprotected inet port in the namespace. To
> > disable all protected ports set this to zero. It also checks for
> > overlap with the local port range. The protected and local range may
> > not overlap.
> >
> > The use case for this change is to allow containerized processes to bind
> > to priviliged ports, but prevent them from ever being allowed to modify
> > their container's network configuration. The latter is accomplished by
> > ensuring that the network namespace is not a child of the user
> > namespace. This modification was needed to allow the container manager
> > to disable a namespace's priviliged port restrictions without exposing
> > control of the network namespace to processes in the user namespace.
> >
> > Signed-off-by: Krister Johansen <kjlx@templeofstupid•com>
> > ---
> > include/net/ip.h | 10 +++++++++
> > include/net/netns/ipv4.h | 1 +
> > net/ipv4/af_inet.c | 5 ++++-
> > net/ipv4/sysctl_net_ipv4.c | 50 +++++++++++++++++++++++++++++++++++++++++-
> > net/ipv6/af_inet6.c | 3 ++-
> > net/netfilter/ipvs/ip_vs_ctl.c | 7 +++---
> > net/sctp/socket.c | 10 +++++----
> > security/selinux/hooks.c | 3 ++-
>
> Adding a new sysctl without documentation is generally not accepted.
>
> Please take a look at Documentation/networking/ip-sysctl.txt
Thanks for catching this. I'll add an entry to the documentation.
> BTW, sticking to 'unprivileged' ports might be better than 'unprotected'
> which is vague.
I don't have a strong preference about the naming. I'd be happy to
change it to 'unprivileged' instead.
-K
next prev parent reply other threads:[~2017-01-14 0:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-31 4:11 [PATCH] Introduce a sysctl that modifies the value of PROT_SOCK Krister Johansen
2016-12-31 20:55 ` Stephen Hemminger
2017-01-04 10:19 ` Krister Johansen
2017-01-12 6:52 ` [PATCH v2 net-next] " Krister Johansen
2017-01-12 14:22 ` David Miller
2017-01-14 0:13 ` Krister Johansen
2017-01-12 14:39 ` Eric Dumazet
2017-01-14 0:11 ` Krister Johansen [this message]
2017-01-21 1:49 ` [PATCH v3 " Krister Johansen
2017-01-23 20:39 ` David Miller
2017-01-24 17:11 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170114001138.GC3094@templeofstupid.com \
--to=kjlx@templeofstupid$(echo .)com \
--cc=davem@davemloft$(echo .)net \
--cc=eric.dumazet@gmail$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
--cc=stephen@networkplumber$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox