br_netfilter: namespace sysctl operations
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Connor Kuehl | ||
Disco |
Fix Released
|
Medium
|
Connor Kuehl |
Bug Description
SRU Justification
Impact: Currently, the /proc/sys/
Fix: The patches linked below ensure that the /proc/sys/
In doing so the patch makes the sysctls:
bridge-
bridge-
bridge-
bridge-
bridge-
bridge-
apply per network namespace.
Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https:/
Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls.
Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables.
Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream.
CVE References
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
description: | updated |
Changed in linux (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Disco): | |
status: | New → In Progress |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Disco): | |
importance: | Undecided → Medium |
assignee: | nobody → Connor Kuehl (connork) |
Changed in linux (Ubuntu Bionic): | |
assignee: | nobody → Connor Kuehl (connork) |
Changed in linux (Ubuntu): | |
status: | Confirmed → Invalid |
Changed in linux (Ubuntu): | |
status: | Invalid → Fix Committed |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Disco): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-bionic verification-done-disco removed: verification-needed-bionic verification-needed-disco |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-bionic removed: verification-needed-bionic |
Relevant upstream commits are:
https:/ /git.kernel. org/pub/ scm/linux/ kernel/ git/torvalds/ linux.git/ commit/ ?id=ff6d090d0db 41425aef0cfe5dc 58bb3cc12514a2
https:/ /git.kernel. org/pub/ scm/linux/ kernel/ git/torvalds/ linux.git/ commit/ ?id=22567590b2e 634247931b3d235 1384ba45720ebe
https:/ /git.kernel. org/pub/ scm/linux/ kernel/ git/torvalds/ linux.git/ commit/ ?id=7e6daf50e1f 4ea0ecd56406beb 64ffc66e1e94db