From: Stanislav Kinsburskiy <skinsbur...@parallels.com>
Signed-off-by: Stanislav Kinsburskiy <skinsbur...@parallels.com>
---
net/netfilter/nf_conntrack_standalone.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_standalone.c
b/net/netfilter/nf_conntrack_standalone.c
index ee2889d..d1915e5 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -477,6 +477,21 @@ static struct ctl_table nf_ct_netfilter_table[] = {
static int zero;
+static int nf_conntrack_hide_sysctl(struct net *net)
+{
+ /*
+ * This can happen only on VE creation, when process created VE cgroup,
+ * and clones a child with new network namespace.
+ */
+ if (net->owner_ve->init_cred == NULL)
+ return 0;
+
+ /*
+ * Expose sysctl only for container's init user namespace
+ */
+ return net->user_ns != net->owner_ve->init_cred->user_ns;
+}
+
static int nf_conntrack_standalone_init_sysctl(struct net *net)
{
struct ctl_table *table;
@@ -494,7 +509,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net
*net)
table[5].data = &net->ct.expect_max;
/* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
+ if (nf_conntrack_hide_sysctl(net))
table[0].procname = NULL;
if (!net_eq(net, &init_net)) {
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
