1// SPDX-License-Identifier: GPL-2.0-only
2/* -*- linux-c -*-
3 * sysctl_net.c: sysctl interface to net subsystem.
4 *
5 * Begun April 1, 1996, Mike Shaver.
6 * Added /proc/sys/net directories for each protocol family. [MS]
7 *
8 * Revision 1.2 1996/05/08 20:24:40 shaver
9 * Added bits for NET_BRIDGE and the NET_IPV4_ARP stuff and
10 * NET_IPV4_IP_FORWARD.
11 *
12 *
13 */
14
15#include <linux/mm.h>
16#include <linux/export.h>
17#include <linux/sysctl.h>
18#include <linux/nsproxy.h>
19
20#include <net/sock.h>
21
22#ifdef CONFIG_INET
23#include <net/ip.h>
24#endif
25
26#ifdef CONFIG_NET
27#include <linux/if_ether.h>
28#endif
29
30static struct ctl_table_set *
31net_ctl_header_lookup(struct ctl_table_root *root)
32{
33 return &current->nsproxy->net_ns->sysctls;
34}
35
36static int is_seen(struct ctl_table_set *set)
37{
38 return &current->nsproxy->net_ns->sysctls == set;
39}
40
41/* Return standard mode bits for table entry. */
42static int net_ctl_permissions(struct ctl_table_header *head,
43 const struct ctl_table *table)
44{
45 struct net *net = container_of(head->set, struct net, sysctls);
46
47 /* Allow network administrator to have same access as root. */
48 if (ns_capable_noaudit(ns: net->user_ns, CAP_NET_ADMIN)) {
49 int mode = (table->mode >> 6) & 7;
50 return (mode << 6) | (mode << 3) | mode;
51 }
52
53 return table->mode;
54}
55
56static void net_ctl_set_ownership(struct ctl_table_header *head,
57 kuid_t *uid, kgid_t *gid)
58{
59 struct net *net = container_of(head->set, struct net, sysctls);
60 kuid_t ns_root_uid;
61 kgid_t ns_root_gid;
62
63 ns_root_uid = make_kuid(from: net->user_ns, uid: 0);
64 if (uid_valid(uid: ns_root_uid))
65 *uid = ns_root_uid;
66
67 ns_root_gid = make_kgid(from: net->user_ns, gid: 0);
68 if (gid_valid(gid: ns_root_gid))
69 *gid = ns_root_gid;
70}
71
72static struct ctl_table_root net_sysctl_root = {
73 .lookup = net_ctl_header_lookup,
74 .permissions = net_ctl_permissions,
75 .set_ownership = net_ctl_set_ownership,
76};
77
78static int __net_init sysctl_net_init(struct net *net)
79{
80 setup_sysctl_set(p: &net->sysctls, root: &net_sysctl_root, is_seen);
81 return 0;
82}
83
84static void __net_exit sysctl_net_exit(struct net *net)
85{
86 retire_sysctl_set(set: &net->sysctls);
87}
88
89static struct pernet_operations sysctl_pernet_ops = {
90 .init = sysctl_net_init,
91 .exit = sysctl_net_exit,
92};
93
94static struct ctl_table_header *net_header;
95__init int net_sysctl_init(void)
96{
97 static struct ctl_table empty[1];
98 int ret = -ENOMEM;
99 /* Avoid limitations in the sysctl implementation by
100 * registering "/proc/sys/net" as an empty directory not in a
101 * network namespace.
102 */
103 net_header = register_sysctl_sz(path: "net", table: empty, table_size: 0);
104 if (!net_header)
105 goto out;
106 ret = register_pernet_subsys(&sysctl_pernet_ops);
107 if (ret)
108 goto out1;
109out:
110 return ret;
111out1:
112 unregister_sysctl_table(table: net_header);
113 net_header = NULL;
114 goto out;
115}
116
117/* Verify that sysctls for non-init netns are safe by either:
118 * 1) being read-only, or
119 * 2) having a data pointer which points outside of the global kernel/module
120 * data segment, and rather into the heap where a per-net object was
121 * allocated.
122 */
123static void ensure_safe_net_sysctl(struct net *net, const char *path,
124 struct ctl_table *table, size_t table_size)
125{
126 struct ctl_table *ent;
127
128 pr_debug("Registering net sysctl (net %p): %s\n", net, path);
129 ent = table;
130 for (size_t i = 0; i < table_size; ent++, i++) {
131 unsigned long addr;
132 const char *where;
133
134 pr_debug(" procname=%s mode=%o proc_handler=%ps data=%p\n",
135 ent->procname, ent->mode, ent->proc_handler, ent->data);
136
137 /* If it's not writable inside the netns, then it can't hurt. */
138 if ((ent->mode & 0222) == 0) {
139 pr_debug(" Not writable by anyone\n");
140 continue;
141 }
142
143 /* Where does data point? */
144 addr = (unsigned long)ent->data;
145 if (is_module_address(addr))
146 where = "module";
147 else if (is_kernel_core_data(addr))
148 where = "kernel";
149 else
150 continue;
151
152 /* If it is writable and points to kernel/module global
153 * data, then it's probably a netns leak.
154 */
155 WARN(1, "sysctl %s/%s: data points to %s global data: %ps\n",
156 path, ent->procname, where, ent->data);
157
158 /* Make it "safe" by dropping writable perms */
159 ent->mode &= ~0222;
160 }
161}
162
163struct ctl_table_header *register_net_sysctl_sz(struct net *net,
164 const char *path,
165 struct ctl_table *table,
166 size_t table_size)
167{
168 if (!net_eq(net1: net, net2: &init_net))
169 ensure_safe_net_sysctl(net, path, table, table_size);
170
171 return __register_sysctl_table(set: &net->sysctls, path, table, table_size);
172}
173EXPORT_SYMBOL_GPL(register_net_sysctl_sz);
174
175void unregister_net_sysctl_table(struct ctl_table_header *header)
176{
177 unregister_sysctl_table(table: header);
178}
179EXPORT_SYMBOL_GPL(unregister_net_sysctl_table);
180