Bug 1315335

Summary: Enable unprivileged ping sockets
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: gansalmon, itamar, jeder, jonathan, jsynacek, kernel-maint, madhu.chinakonda, mchehab, walters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1315337 (view as bug list) Environment:
Last Closed: 2016-05-27 14:13:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1315337    

Description Daniel Walsh 2016-03-07 13:46:57 UTC 
I have been told that the Linux kernel supports allowing ping to send out packets without requiring as much privileges.   And this would allow us to use prctl(NO_NEW_PRIVS) for certain containers, but still allow tools like ping and traceroute to work.  

If this is true, can we get this turned on in the Kernel?
Comment 1 Colin Walters 2016-03-07 15:25:44 UTC 
This is controlled now by net.ipv4.ping_group_range.  Changing that default to allow all gids should work.  However last I checked, our copy of /usr/bin/ping wasn't compiled to even try ping sockets.  So that would also need to change.

See:
http://openwall.info/wiki/people/segoon/ping
https://sturmflut.github.io/linux/ubuntu/2015/01/17/unprivileged-icmp-sockets-on-linux/
Comment 2 Josh Boyer 2016-03-07 16:01:40 UTC 
As Colin points out, it's a sysctl and therefore can be tuned at runtime.  There's no need to change anything in the kernel to get this to work.

(Note that the sysctl is under the ipv4 directory, but it controls this functionality for both ipv4 and ipv6.)
Comment 3 Colin Walters 2016-03-07 16:18:52 UTC 
(In reply to Josh Boyer from comment #2)
> As Colin points out, it's a sysctl and therefore can be tuned at runtime. 
> There's no need to change anything in the kernel to get this to work.

The kernel RPM currently contains the default for the sysctl.  That doesn't mean it has to change there - we could also put an override in systemd or somewhere else.  But regardless of that, there is new API/attack surface being made generally available (as opposed to the current IMO relative obscurity this feature lives under), so having a discussion here in kernel bugzilla would make sense, right?
Comment 4 Josh Boyer 2016-03-07 16:25:03 UTC 
(In reply to Colin Walters from comment #3)
> (In reply to Josh Boyer from comment #2)
> > As Colin points out, it's a sysctl and therefore can be tuned at runtime. 
> > There's no need to change anything in the kernel to get this to work.
> 
> The kernel RPM currently contains the default for the sysctl. 

Only in the form of whatever default is in the actual source code.  We don't ship configuration files for the sysctls in the kernel RPM.  Those come from individual packages, or systemd, or at one point long ago maybe initscripts.

> mean it has to change there - we could also put an override in systemd or
> somewhere else.  But regardless of that, there is new API/attack surface
> being made generally available (as opposed to the current IMO relative
> obscurity this feature lives under), so having a discussion here in kernel
> bugzilla would make sense, right?

I don't see what there is to discuss though.  The functionality, obscure or not, has been present for IPv4 since 2011 and IPv6 since 2013.  From a kernel perspective, enabling it doesn't change the fact that anyone could have done so for 5 years already.
Comment 5 Daniel Walsh 2016-03-07 17:04:52 UTC 
Switching to iputils to see if they have any comments on this.
Comment 6 Daniel Walsh 2016-03-07 17:05:41 UTC 
Josh do you believe rhel7 has this feature also?
Comment 7 Josh Boyer 2016-03-07 17:42:03 UTC 
(In reply to Daniel Walsh from comment #6)
> Josh do you believe rhel7 has this feature also?

It should for IPv4 at least.  The rhel7 box I have locally has the sysctl and the commits are old enough that they should be in the upstream 3.10 kernel anyway.

The IPv6 support was added in the upstream 3.11 kernel.  Someone on the RHEL side would need to verify if commit 6d0bfe22611602f36617bc7aa2ffa1bbb2f54c67 was included.
Comment 8 Jan Synacek 2016-03-08 09:00:05 UTC 
(In reply to Colin Walters from comment #1)
> This is controlled now by net.ipv4.ping_group_range.  Changing that default
> to allow all gids should work.  However last I checked, our copy of
> /usr/bin/ping wasn't compiled to even try ping sockets.  So that would also
> need to change.

I don't know what/when you checked, but if you remove all capabilities from /usr/bin/ping, set net.ipv4.ping_group_range to "0 <something huge>" and try to ping something, it works. At least on my machine, currently Fedora 24.
Comment 9 Jan Synacek 2016-03-08 09:06:34 UTC 
I also checked rhel7 and it doesn't work there (with rebased iputils). Is it really enabled there?
Comment 10 Daniel Walsh 2016-03-08 13:31:06 UTC 
I think that might be a namespaced sysctl, so we could turn this on via a container by container bases, versus turning it on for the entire machine, once we have docker run --sysctl support.