1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* -*- linux-c -*- |
3 | * sysctl_net.c: sysctl interface to net subsystem. |
4 | * |
5 | * Begun April 1, 1996, Mike Shaver. |
6 | * Added /proc/sys/net directories for each protocol family. [MS] |
7 | * |
8 | * Revision 1.2 1996/05/08 20:24:40 shaver |
9 | * Added bits for NET_BRIDGE and the NET_IPV4_ARP stuff and |
10 | * NET_IPV4_IP_FORWARD. |
11 | * |
12 | * |
13 | */ |
14 | |
15 | #include <linux/mm.h> |
16 | #include <linux/export.h> |
17 | #include <linux/sysctl.h> |
18 | #include <linux/nsproxy.h> |
19 | |
20 | #include <net/sock.h> |
21 | |
22 | #ifdef CONFIG_INET |
23 | #include <net/ip.h> |
24 | #endif |
25 | |
26 | #ifdef CONFIG_NET |
27 | #include <linux/if_ether.h> |
28 | #endif |
29 | |
30 | static struct ctl_table_set * |
31 | (struct ctl_table_root *root) |
32 | { |
33 | return ¤t->nsproxy->net_ns->sysctls; |
34 | } |
35 | |
36 | static int is_seen(struct ctl_table_set *set) |
37 | { |
38 | return ¤t->nsproxy->net_ns->sysctls == set; |
39 | } |
40 | |
41 | /* Return standard mode bits for table entry. */ |
42 | static int net_ctl_permissions(struct ctl_table_header *head, |
43 | struct ctl_table *table) |
44 | { |
45 | struct net *net = container_of(head->set, struct net, sysctls); |
46 | |
47 | /* Allow network administrator to have same access as root. */ |
48 | if (ns_capable_noaudit(ns: net->user_ns, CAP_NET_ADMIN)) { |
49 | int mode = (table->mode >> 6) & 7; |
50 | return (mode << 6) | (mode << 3) | mode; |
51 | } |
52 | |
53 | return table->mode; |
54 | } |
55 | |
56 | static void net_ctl_set_ownership(struct ctl_table_header *head, |
57 | struct ctl_table *table, |
58 | kuid_t *uid, kgid_t *gid) |
59 | { |
60 | struct net *net = container_of(head->set, struct net, sysctls); |
61 | kuid_t ns_root_uid; |
62 | kgid_t ns_root_gid; |
63 | |
64 | ns_root_uid = make_kuid(from: net->user_ns, uid: 0); |
65 | if (uid_valid(uid: ns_root_uid)) |
66 | *uid = ns_root_uid; |
67 | |
68 | ns_root_gid = make_kgid(from: net->user_ns, gid: 0); |
69 | if (gid_valid(gid: ns_root_gid)) |
70 | *gid = ns_root_gid; |
71 | } |
72 | |
73 | static struct ctl_table_root net_sysctl_root = { |
74 | .lookup = net_ctl_header_lookup, |
75 | .permissions = net_ctl_permissions, |
76 | .set_ownership = net_ctl_set_ownership, |
77 | }; |
78 | |
79 | static int __net_init sysctl_net_init(struct net *net) |
80 | { |
81 | setup_sysctl_set(p: &net->sysctls, root: &net_sysctl_root, is_seen); |
82 | return 0; |
83 | } |
84 | |
85 | static void __net_exit sysctl_net_exit(struct net *net) |
86 | { |
87 | retire_sysctl_set(set: &net->sysctls); |
88 | } |
89 | |
90 | static struct pernet_operations sysctl_pernet_ops = { |
91 | .init = sysctl_net_init, |
92 | .exit = sysctl_net_exit, |
93 | }; |
94 | |
95 | static struct ctl_table_header *; |
96 | __init int net_sysctl_init(void) |
97 | { |
98 | static struct ctl_table empty[1]; |
99 | int ret = -ENOMEM; |
100 | /* Avoid limitations in the sysctl implementation by |
101 | * registering "/proc/sys/net" as an empty directory not in a |
102 | * network namespace. |
103 | */ |
104 | net_header = register_sysctl_sz(path: "net" , table: empty, table_size: 0); |
105 | if (!net_header) |
106 | goto out; |
107 | ret = register_pernet_subsys(&sysctl_pernet_ops); |
108 | if (ret) |
109 | goto out1; |
110 | out: |
111 | return ret; |
112 | out1: |
113 | unregister_sysctl_table(table: net_header); |
114 | net_header = NULL; |
115 | goto out; |
116 | } |
117 | |
118 | /* Verify that sysctls for non-init netns are safe by either: |
119 | * 1) being read-only, or |
120 | * 2) having a data pointer which points outside of the global kernel/module |
121 | * data segment, and rather into the heap where a per-net object was |
122 | * allocated. |
123 | */ |
124 | static void ensure_safe_net_sysctl(struct net *net, const char *path, |
125 | struct ctl_table *table, size_t table_size) |
126 | { |
127 | struct ctl_table *ent; |
128 | |
129 | pr_debug("Registering net sysctl (net %p): %s\n" , net, path); |
130 | ent = table; |
131 | for (size_t i = 0; i < table_size && ent->procname; ent++, i++) { |
132 | unsigned long addr; |
133 | const char *where; |
134 | |
135 | pr_debug(" procname=%s mode=%o proc_handler=%ps data=%p\n" , |
136 | ent->procname, ent->mode, ent->proc_handler, ent->data); |
137 | |
138 | /* If it's not writable inside the netns, then it can't hurt. */ |
139 | if ((ent->mode & 0222) == 0) { |
140 | pr_debug(" Not writable by anyone\n" ); |
141 | continue; |
142 | } |
143 | |
144 | /* Where does data point? */ |
145 | addr = (unsigned long)ent->data; |
146 | if (is_module_address(addr)) |
147 | where = "module" ; |
148 | else if (is_kernel_core_data(addr)) |
149 | where = "kernel" ; |
150 | else |
151 | continue; |
152 | |
153 | /* If it is writable and points to kernel/module global |
154 | * data, then it's probably a netns leak. |
155 | */ |
156 | WARN(1, "sysctl %s/%s: data points to %s global data: %ps\n" , |
157 | path, ent->procname, where, ent->data); |
158 | |
159 | /* Make it "safe" by dropping writable perms */ |
160 | ent->mode &= ~0222; |
161 | } |
162 | } |
163 | |
164 | struct ctl_table_header *register_net_sysctl_sz(struct net *net, |
165 | const char *path, |
166 | struct ctl_table *table, |
167 | size_t table_size) |
168 | { |
169 | int count; |
170 | struct ctl_table *entry; |
171 | |
172 | if (!net_eq(net1: net, net2: &init_net)) |
173 | ensure_safe_net_sysctl(net, path, table, table_size); |
174 | |
175 | entry = table; |
176 | for (count = 0 ; count < table_size && entry->procname; entry++, count++) |
177 | ; |
178 | |
179 | return __register_sysctl_table(set: &net->sysctls, path, table, table_size: count); |
180 | } |
181 | EXPORT_SYMBOL_GPL(register_net_sysctl_sz); |
182 | |
183 | void unregister_net_sysctl_table(struct ctl_table_header *) |
184 | { |
185 | unregister_sysctl_table(table: header); |
186 | } |
187 | EXPORT_SYMBOL_GPL(unregister_net_sysctl_table); |
188 | |