On 11/3/21 4:39 AM, David Ahern wrote:
On 11/1/21 10:34 AM, Leonard Crestez wrote:
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index 97eb54774924..cc34de6e4817 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -17,10 +17,11 @@ #include <net/udp.h> #include <net/cipso_ipv4.h> #include <net/ping.h> #include <net/protocol.h> #include <net/netevent.h> +#include <net/tcp_authopt.h> static int two = 2; static int three __maybe_unused = 3; static int four = 4; static int thousand = 1000; @@ -583,10 +584,19 @@ static struct ctl_table ipv4_table[] = { .mode = 0644, .proc_handler = proc_douintvec_minmax, .extra1 = &sysctl_fib_sync_mem_min, .extra2 = &sysctl_fib_sync_mem_max, }, +#ifdef CONFIG_TCP_AUTHOPT
- {
.procname = "tcp_authopt",.data = &sysctl_tcp_authopt,.maxlen = sizeof(int),.mode = 0644,.proc_handler = proc_dointvec,Just add it to the namespace set, and this could be a u8 (try to plug a hole if possible) with min/max specified:
.maxlen = sizeof(u8), .mode = 0644, .extra1 = SYSCTL_ZERO, .extra2 = SYSCTL_ONEsee icmp_echo_enable_probe as an example. And if you are not going to clean up when toggled off, you need a handler that tells the user it can not be disabled by erroring out on attempts to disable it.
This is deliberately per-system because the goal is to avoid possible local privilege escalations by reducing the attack surface. Even the smallest flaw could be exploited by a malicious application establishing an authenticated connection on loopback.
Applications running in containers frequently have full access to sysctls so making this per-namespace would defeat the original purpose. I can't think of any reason to prevent using this feature at the namespace level, it has no interesting effects outside TCP connections for which it is enabled.
I also believe that as similar sysctl would be useful for TCP-MD5.
You're right about adding additional prints.
-- Regards, Leonard