From: Aleksandr Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
To: Julian Anastasov <ja@ssi.bg>
Cc: horms@verge.net.au, netdev@vger.kernel.org,
lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org,
linux-kernel@vger.kernel.org,
"Stéphane Graber" <stgraber@stgraber.org>,
"Christian Brauner" <brauner@kernel.org>,
"Pablo Neira Ayuso" <pablo@netfilter.org>,
"Jozsef Kadlecsik" <kadlec@netfilter.org>,
"Florian Westphal" <fw@strlen.de>
Subject: Re: [PATCH net-next] ipvs: allow some sysctls in non-init user namespaces
Date: Thu, 18 Apr 2024 13:05:19 +0200 [thread overview]
Message-ID: <CAEivzxfDLSrHP2H1ou8rccGLOxk5tycZH1+VKt3X8S0QcXNxcA@mail.gmail.com> (raw)
In-Reply-To: <32f56a2e-8142-4391-916a-65fe51a57933@ssi.bg>
On Wed, Apr 17, 2024 at 3:02 PM Julian Anastasov <ja@ssi.bg> wrote:
>
>
> Hello,
Dear Julian,
>
> On Tue, 16 Apr 2024, Alexander Mikhalitsyn wrote:
>
> > Let's make all IPVS sysctls visible and RO even when
> > network namespace is owned by non-initial user namespace.
> >
> > Let's make a few sysctls to be writable:
> > - conntrack
> > - conn_reuse_mode
> > - expire_nodest_conn
> > - expire_quiescent_template
> >
> > I'm trying to be conservative with this to prevent
> > introducing any security issues in there. Maybe,
> > we can allow more sysctls to be writable, but let's
> > do this on-demand and when we see real use-case.
> >
> > This list of sysctls was chosen because I can't
> > see any security risks allowing them and also
> > Kubernetes uses [2] these specific sysctls.
> >
> > This patch is motivated by user request in the LXC
> > project [1].
> >
> > [1] https://github.com/lxc/lxc/issues/4278
> > [2] https://github.com/kubernetes/kubernetes/blob/b722d017a34b300a2284b890448e5a605f21d01e/pkg/proxy/ipvs/proxier.go#L103
> >
> > Cc: Stéphane Graber <stgraber@stgraber.org>
> > Cc: Christian Brauner <brauner@kernel.org>
> > Cc: Julian Anastasov <ja@ssi.bg>
> > Cc: Simon Horman <horms@verge.net.au>
> > Cc: Pablo Neira Ayuso <pablo@netfilter.org>
> > Cc: Jozsef Kadlecsik <kadlec@netfilter.org>
> > Cc: Florian Westphal <fw@strlen.de>
> > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
> > ---
> > net/netfilter/ipvs/ip_vs_ctl.c | 18 +++++++++++++++---
> > 1 file changed, 15 insertions(+), 3 deletions(-)
> >
> > diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> > index 143a341bbc0a..92a818c2f783 100644
> > --- a/net/netfilter/ipvs/ip_vs_ctl.c
> > +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> > @@ -4285,10 +4285,22 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
>
> As the list of privileged vars is short I prefer
> to use a bool and to make only some vars read-only:
>
> bool unpriv = false;
>
> > if (tbl == NULL)
> > return -ENOMEM;
> >
> > - /* Don't export sysctls to unprivileged users */
> > + /* Let's show all sysctls in non-init user namespace-owned
> > + * net namespaces, but make them read-only.
> > + *
> > + * Allow only a few specific sysctls to be writable.
> > + */
> > if (net->user_ns != &init_user_ns) {
>
> Here we should just set: unpriv = true;
>
> > - tbl[0].procname = NULL;
> > - ctl_table_size = 0;
> > + for (idx = 0; idx < ARRAY_SIZE(vs_vars); idx++) {
> > + if (!tbl[idx].procname)
> > + continue;
> > +
> > + if (!((strcmp(tbl[idx].procname, "conntrack") == 0) ||
> > + (strcmp(tbl[idx].procname, "conn_reuse_mode") == 0) ||
> > + (strcmp(tbl[idx].procname, "expire_nodest_conn") == 0) ||
> > + (strcmp(tbl[idx].procname, "expire_quiescent_template") == 0)))
> > + tbl[idx].mode = 0444;
> > + }
> > }
> > } else
> > tbl = vs_vars;
>
> And below at every place to use:
>
> if (unpriv)
> tbl[idx].mode = 0444;
>
> for the following 4 privileged sysctl vars:
>
> - sync_qlen_max:
> - allocates messages in kernel context
> - this needs better tunning in another patch
>
> - sync_sock_size:
> - allocates messages in kernel context
>
> - run_estimation:
> - for now, better init ns to decide if to use est stats
>
> - est_nice:
> - for now, better init ns to decide the value
>
> - debug_level:
> - already set to 0444
>
> I.e. these vars allocate resources (mem, CPU) without
> proper control, so for now we will just copy them from init ns
> without allowing writing. And they are vars that are not tuned
> often. Also we do not know which netns is supposed to be the
> privileged one, some solutions move all devices out of init_net,
> so we can not decide where to use lower limits.
I agree. I have also decided to forbid "est_cpulist" for unprivileged users.
>
> OTOH, "amemthresh" is not privileged but needs single READ_ONCE
> for sysctl_amemthresh in update_defense_level() due to the possible
> div by zero if we allow writing to anyone, eg.:
>
> int amemthresh = max(READ_ONCE(ipvs->sysctl_amemthresh), 0);
> ...
> nomem = availmem < amemthresh;
> ... use only amemthresh
>
> All other vars can be writable.
Have fixed this and sent it as a separate patch! ;-)
Thanks a lot for such a quick review!
Kind regards,
Alex
>
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
prev parent reply other threads:[~2024-04-18 11:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-16 14:48 [PATCH net-next] ipvs: allow some sysctls in non-init user namespaces Alexander Mikhalitsyn
2024-04-17 13:02 ` Julian Anastasov
2024-04-18 11:05 ` Aleksandr Mikhalitsyn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEivzxfDLSrHP2H1ou8rccGLOxk5tycZH1+VKt3X8S0QcXNxcA@mail.gmail.com \
--to=aleksandr.mikhalitsyn@canonical.com \
--cc=brauner@kernel.org \
--cc=fw@strlen.de \
--cc=horms@verge.net.au \
--cc=ja@ssi.bg \
--cc=kadlec@netfilter.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvs-devel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stgraber@stgraber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).