From: Daniel Lezcano Date: Thu, 10 Jan 2008 10:57:43 +0000 (-0800) Subject: [NETNS][IPV6]: Make mld_max_msf readonly in other namespaces. X-Git-Tag: v2.6.25-rc1~1162^2~819 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c76509d0da99f29289b9b7ab134791e45d49b15;p=linux-2.6 [NETNS][IPV6]: Make mld_max_msf readonly in other namespaces. The mld_max_msf protects the system with a maximum allowed multicast source filters. Making this variable per namespace can be potentially an problem if someone inside a namespace set it to a big value, that will impact the whole system including other namespaces. I don't see any benefits to have it per namespace for now, so in order to keep a directory entry in a newly created namespace, I make it read-only when we are not in the initial network namespace. Signed-off-by: Daniel Lezcano Signed-off-by: David S. Miller --- diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c index ae3cfd1b8e..d223159638 100644 --- a/net/ipv6/sysctl_net_ipv6.c +++ b/net/ipv6/sysctl_net_ipv6.c @@ -122,6 +122,12 @@ static int ipv6_sysctl_net_init(struct net *net) ipv6_table[5].data = &net->ipv6.sysctl.frags.timeout; ipv6_table[6].data = &net->ipv6.sysctl.frags.secret_interval; + /* We don't want this value to be per namespace, it should be global + to all namespaces, so make it read-only when we are not in the + init network namespace */ + if (net != &init_net) + ipv6_table[7].mode = 0444; + net->ipv6.sysctl.table = register_net_sysctl_table(net, net_ipv6_ctl_path, ipv6_table); if (!net->ipv6.sysctl.table)