mirror of https://github.com/torvalds/linux.git
2b696a2a10
Let's make all IPVS sysctls writtable even when network namespace is owned by non-initial user namespace. Let's make a few sysctls to be read-only for non-privileged users: - sync_qlen_max - sync_sock_size - run_estimation - est_cpulist - est_nice I'm trying to be conservative with this to prevent introducing any security issues in there. Maybe, we can allow more sysctls to be writable, but let's do this on-demand and when we see real use-case. This patch is motivated by user request in the LXC project [1]. Having this can help with running some Kubernetes [2] or Docker Swarm [3] workloads inside the system containers. Link: https://github.com/lxc/lxc/issues/4278 [1] Link: |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| ip_vs_app.c | ||
| ip_vs_conn.c | ||
| ip_vs_core.c | ||
| ip_vs_ctl.c | ||
| ip_vs_dh.c | ||
| ip_vs_est.c | ||
| ip_vs_fo.c | ||
| ip_vs_ftp.c | ||
| ip_vs_lblc.c | ||
| ip_vs_lblcr.c | ||
| ip_vs_lc.c | ||
| ip_vs_mh.c | ||
| ip_vs_nfct.c | ||
| ip_vs_nq.c | ||
| ip_vs_ovf.c | ||
| ip_vs_pe.c | ||
| ip_vs_pe_sip.c | ||
| ip_vs_proto.c | ||
| ip_vs_proto_ah_esp.c | ||
| ip_vs_proto_sctp.c | ||
| ip_vs_proto_tcp.c | ||
| ip_vs_proto_udp.c | ||
| ip_vs_rr.c | ||
| ip_vs_sched.c | ||
| ip_vs_sed.c | ||
| ip_vs_sh.c | ||
| ip_vs_sync.c | ||
| ip_vs_twos.c | ||
| ip_vs_wlc.c | ||
| ip_vs_wrr.c | ||
| ip_vs_xmit.c | ||