SafeSysctlWhitelist: add net.ipv4.ping_group_range

AkihiroSuda · AkihiroSuda · commit 821362bd1e36 · 2019-11-20T07:26:02.000+09:00
sysctl value `net.ipv4.ping_group_range` can be used for allowing `ping` command without `CAP_NET_RAW` capability. e.g. `net.ipv4.ping_group_range="0 42"` to allow ping for users with GID 0-GID 42. This sysctl value was introduced in kernel 3.0 and has been namespaced since its birth. torvalds/linux@c319b4d#diff-5b536a7a92abed603bbb4caa61613270R57 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
diff --git a/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go b/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go
@@ -34,6 +34,7 @@ func SafeSysctlWhitelist() []string {
 		"kernel.shm_rmid_forced",
 		"net.ipv4.ip_local_port_range",
 		"net.ipv4.tcp_syncookies",
+		"net.ipv4.ping_group_range",
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ func SafeSysctlWhitelist() []string {`
`34`	`34`	`"kernel.shm_rmid_forced",`
`35`	`35`	`"net.ipv4.ip_local_port_range",`
`36`	`36`	`"net.ipv4.tcp_syncookies",`
	`37`	`+ "net.ipv4.ping_group_range",`
`37`	`38`	`}`
`38`	`39`	`}`
`39`	`40`