netfilter: ipvs: make global sysctl readonly in non-init netns

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Because the data pointer of net/ipv4/vs/debug_level is not updated per
netns, it must be marked as read-only in non-init netns.

Fixes: c6d2d445d8de ("IPVS: netns, final patch enabling network name space.")
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Antoine Tenart and committed by

Pablo Neira Ayuso 4 years ago 174c3762 a482c5e0

1 changed file

expand all

net

netfilter

ipvs

ip_vs_ctl.c

net/netfilter/ipvs/ip_vs_ctl.c

··· 4090 4090 tbl[idx++].data = &ipvs->sysctl_conn_reuse_mode; 4091 4091 tbl[idx++].data = &ipvs->sysctl_schedule_icmp; 4092 4092 tbl[idx++].data = &ipvs->sysctl_ignore_tunneled; 4093 + #ifdef CONFIG_IP_VS_DEBUG 4094 + /* Global sysctls must be ro in non-init netns */ 4095 + if (!net_eq(net, &init_net)) 4096 + tbl[idx++].mode = 0444; 4097 + #endif 4093 4098 4094 4099 ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl); 4095 4100 if (ipvs->sysctl_hdr == NULL) {