This root keeps ctl tables in one global list, but doesn't allow for non-init namespaces to write into tables, stored in it.
Signed-off-by: Pavel Emelyanov <[EMAIL PROTECTED]> --- include/net/net_namespace.h | 2 ++ net/sysctl_net.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 0 deletions(-) diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index 28738b7..2930ae3 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h @@ -173,6 +173,8 @@ struct ctl_table; struct ctl_table_header; extern struct ctl_table_header *register_net_sysctl_table(struct net *net, const struct ctl_path *path, struct ctl_table *table); +extern struct ctl_table_header *register_init_net_ctl_table( + struct ctl_path *path, struct ctl_table *table); extern void unregister_net_sysctl_table(struct ctl_table_header *header); #endif /* __NET_NET_NAMESPACE_H */ diff --git a/net/sysctl_net.c b/net/sysctl_net.c index 665e856..42c99e6 100644 --- a/net/sysctl_net.c +++ b/net/sysctl_net.c @@ -40,6 +40,30 @@ static struct ctl_table_root net_sysctl_root = { .lookup = net_ctl_header_lookup, }; +static LIST_HEAD(net_ro_headers); + +static struct list_head *net_ctl_ro_header_lookup(struct ctl_table_root *root, + struct nsproxy *namespaces) +{ + return &net_ro_headers; +} + +static int net_ctl_ro_permissions(struct ctl_table_root *root, + struct nsproxy *ns, struct ctl_table *table) +{ + int mode; + + mode = table->mode; + if (ns->net_ns != &init_net) + mode &= ~0222; + return mode; +} + +static struct ctl_table_root net_sysctl_ro_root = { + .lookup = net_ctl_ro_header_lookup, + .permissions = net_ctl_ro_permissions, +}; + static int sysctl_net_init(struct net *net) { INIT_LIST_HEAD(&net->sysctl_table_headers); @@ -64,6 +88,7 @@ static __init int sysctl_init(void) if (ret) goto out; register_sysctl_root(&net_sysctl_root); + register_sysctl_root(&net_sysctl_ro_root); out: return ret; } @@ -80,6 +105,14 @@ struct ctl_table_header *register_net_sysctl_table(struct net *net, } EXPORT_SYMBOL_GPL(register_net_sysctl_table); +struct ctl_table_header *register_init_net_ctl_table(struct ctl_path *path, + struct ctl_table *table) +{ + return __register_sysctl_paths(&net_sysctl_ro_root, + &init_nsproxy, path, table); +} +EXPORT_SYMBOL_GPL(register_net_ro_ctl_table); + void unregister_net_sysctl_table(struct ctl_table_header *header) { return unregister_sysctl_table(header); -- 1.5.3.4 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html