Commit d62c612e authored by Pavel Emelyanov's avatar Pavel Emelyanov Committed by David S. Miller

netns: Introduce sysctl root for read-only net sysctls.

This one stores all ctl-heads in one list and restricts the
permissions not give write access to non-init net namespaces.
Signed-off-by: default avatarPavel Emelyanov <>
Signed-off-by: default avatarDavid S. Miller <>
parent 5b06c85c
......@@ -201,8 +201,11 @@ extern void unregister_pernet_gen_device(int id, struct pernet_operations *);
struct ctl_path;
struct ctl_table;
struct ctl_table_header;
extern struct ctl_table_header *register_net_sysctl_table(struct net *net,
const struct ctl_path *path, struct ctl_table *table);
extern struct ctl_table_header *register_net_sysctl_rotable(
const struct ctl_path *path, struct ctl_table *table);
extern void unregister_net_sysctl_table(struct ctl_table_header *header);
#endif /* __NET_NET_NAMESPACE_H */
......@@ -40,6 +40,27 @@ static struct ctl_table_root net_sysctl_root = {
.lookup = net_ctl_header_lookup,
static LIST_HEAD(net_sysctl_ro_tables);
static struct list_head *net_ctl_ro_header_lookup(struct ctl_table_root *root,
struct nsproxy *namespaces)
return &net_sysctl_ro_tables;
static int net_ctl_ro_header_perms(struct ctl_table_root *root,
struct nsproxy *namespaces, struct ctl_table *table)
if (namespaces->net_ns == &init_net)
return table->mode;
return table->mode & ~0222;
static struct ctl_table_root net_sysctl_ro_root = {
.lookup = net_ctl_ro_header_lookup,
.permissions = net_ctl_ro_header_perms,
static int sysctl_net_init(struct net *net)
......@@ -64,6 +85,7 @@ static __init int sysctl_init(void)
if (ret)
goto out;
return ret;
......@@ -80,6 +102,14 @@ struct ctl_table_header *register_net_sysctl_table(struct net *net,
struct ctl_table_header *register_net_sysctl_rotable(const
struct ctl_path *path, struct ctl_table *table)
return __register_sysctl_paths(&net_sysctl_ro_root,
&init_nsproxy, path, table);
void unregister_net_sysctl_table(struct ctl_table_header *header)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment