project-lakitu/app-emulation/docker/files/docker-20.10.24-patch-reverting-default-sysctl-value-setting.patch

From 6be39215a36a77ef6c1a9256cf799c5ee38b75ae Mon Sep 17 00:00:00 2001
From: Nobel Barakat <nobelbarakat@google.com>
Date: Wed, 26 Apr 2023 10:11:18 -0700
Subject: [PATCH] Revert "Add default sysctls to allow ping sockets and
 privileged ports with no capabilities"

This reverts commit dae652e2e5e47d99c8febd5bc81df0a3269beb74.
---
 daemon/oci_linux.go                         | 26 ----------
 daemon/oci_linux_test.go                    | 53 +--------------------
 integration-cli/docker_cli_run_unix_test.go | 15 +-----
 3 files changed, 3 insertions(+), 91 deletions(-)

diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 7b9a5dd03e..cb0571e176 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -700,14 +700,6 @@ func WithMounts(daemon *Daemon, c *container.Container) coci.SpecOpts {
 	}
 }
 
-// sysctlExists checks if a sysctl exists; runc will error if we add any that do not actually
-// exist, so do not add the default ones if running on an old kernel.
-func sysctlExists(s string) bool {
-	f := filepath.Join("/proc", "sys", strings.Replace(s, ".", "/", -1))
-	_, err := os.Stat(f)
-	return err == nil
-}
-
 // WithCommonOptions sets common docker options
 func WithCommonOptions(daemon *Daemon, c *container.Container) coci.SpecOpts {
 	return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
@@ -760,24 +752,6 @@ func WithCommonOptions(daemon *Daemon, c *container.Container) coci.SpecOpts {
 		s.Hostname = c.Config.Hostname
 		setLinuxDomainname(c, s)
 
-		// Add default sysctls that are generally safe and useful; currently we
-		// grant the capabilities to allow these anyway. You can override if
-		// you want to restore the original behaviour.
-		// We do not set network sysctls if network namespace is host, or if we are
-		// joining an existing namespace, only if we create a new net namespace.
-		if c.HostConfig.NetworkMode.IsPrivate() {
-			// We cannot set up ping socket support in a user namespace
-			userNS := daemon.configStore.RemappedRoot != "" && c.HostConfig.UsernsMode.IsPrivate()
-			if !userNS && !sys.RunningInUserNS() && sysctlExists("net.ipv4.ping_group_range") {
-				// allow unprivileged ICMP echo sockets without CAP_NET_RAW
-				s.Linux.Sysctl["net.ipv4.ping_group_range"] = "0 2147483647"
-			}
-			// allow opening any port less than 1024 without CAP_NET_BIND_SERVICE
-			if sysctlExists("net.ipv4.ip_unprivileged_port_start") {
-				s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"] = "0"
-			}
-		}
-
 		return nil
 	}
 }
diff --git a/daemon/oci_linux_test.go b/daemon/oci_linux_test.go
index 37d3cb3589..fbfcad281c 100644
--- a/daemon/oci_linux_test.go
+++ b/daemon/oci_linux_test.go
@@ -117,8 +117,7 @@ func TestSysctlOverride(t *testing.T) {
 			Domainname: "baz.cyphar.com",
 		},
 		HostConfig: &containertypes.HostConfig{
-			NetworkMode: "bridge",
-			Sysctls:     map[string]string{},
+			Sysctls: map[string]string{},
 		},
 	}
 	d := setupFakeDaemon(t, c)
@@ -129,65 +128,15 @@ func TestSysctlOverride(t *testing.T) {
 	assert.NilError(t, err)
 	assert.Equal(t, s.Hostname, "foobar")
 	assert.Equal(t, s.Linux.Sysctl["kernel.domainname"], c.Config.Domainname)
-	if sysctlExists("net.ipv4.ip_unprivileged_port_start") {
-		assert.Equal(t, s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"], "0")
-	}
-	if sysctlExists("net.ipv4.ping_group_range") {
-		assert.Equal(t, s.Linux.Sysctl["net.ipv4.ping_group_range"], "0 2147483647")
-	}
 
 	// Set an explicit sysctl.
 	c.HostConfig.Sysctls["kernel.domainname"] = "foobar.net"
 	assert.Assert(t, c.HostConfig.Sysctls["kernel.domainname"] != c.Config.Domainname)
-	c.HostConfig.Sysctls["net.ipv4.ip_unprivileged_port_start"] = "1024"
 
 	s, err = d.createSpec(c)
 	assert.NilError(t, err)
 	assert.Equal(t, s.Hostname, "foobar")
 	assert.Equal(t, s.Linux.Sysctl["kernel.domainname"], c.HostConfig.Sysctls["kernel.domainname"])
-	assert.Equal(t, s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"], c.HostConfig.Sysctls["net.ipv4.ip_unprivileged_port_start"])
-
-	// Ensure the ping_group_range is not set on a daemon with user-namespaces enabled
-	d.configStore.RemappedRoot = "dummy:dummy"
-	s, err = d.createSpec(c)
-	assert.NilError(t, err)
-	_, ok := s.Linux.Sysctl["net.ipv4.ping_group_range"]
-	assert.Assert(t, !ok)
-
-	// Ensure the ping_group_range is set on a container in "host" userns mode
-	// on a daemon with user-namespaces enabled
-	c.HostConfig.UsernsMode = "host"
-	s, err = d.createSpec(c)
-	assert.NilError(t, err)
-	assert.Equal(t, s.Linux.Sysctl["net.ipv4.ping_group_range"], "0 2147483647")
-}
-
-// TestSysctlOverrideHost ensures that any implicit network sysctls are not set
-// with host networking
-func TestSysctlOverrideHost(t *testing.T) {
-	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
-	c := &container.Container{
-		Config: &containertypes.Config{},
-		HostConfig: &containertypes.HostConfig{
-			NetworkMode: "host",
-			Sysctls:     map[string]string{},
-		},
-	}
-	d := setupFakeDaemon(t, c)
-	defer cleanupFakeContainer(c)
-
-	// Ensure that the implicit sysctl is not set
-	s, err := d.createSpec(c)
-	assert.NilError(t, err)
-	assert.Equal(t, s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"], "")
-	assert.Equal(t, s.Linux.Sysctl["net.ipv4.ping_group_range"], "")
-
-	// Set an explicit sysctl.
-	c.HostConfig.Sysctls["net.ipv4.ip_unprivileged_port_start"] = "1024"
-
-	s, err = d.createSpec(c)
-	assert.NilError(t, err)
-	assert.Equal(t, s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"], c.HostConfig.Sysctls["net.ipv4.ip_unprivileged_port_start"])
 }
 
 func TestGetSourceMount(t *testing.T) {
diff --git a/integration-cli/docker_cli_run_unix_test.go b/integration-cli/docker_cli_run_unix_test.go
index f11a8891a3..5b69f61928 100644
--- a/integration-cli/docker_cli_run_unix_test.go
+++ b/integration-cli/docker_cli_run_unix_test.go
@@ -1233,23 +1233,12 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetBindService(c *testing.T
 	// test that a root user has default capability CAP_NET_BIND_SERVICE
 	dockerCmd(c, "run", "syscall-test", "socket-test")
 	// test that non root user does not have default capability CAP_NET_BIND_SERVICE
-	// as we allow this via sysctl, also tweak the sysctl back to default
-	args := []string{"run", "--user", "1000:1000"}
-	if sysctlExists("net.ipv4.ip_unprivileged_port_start") {
-		args = append(args, "--sysctl", "net.ipv4.ip_unprivileged_port_start=1024")
-	}
-	args = append(args, "syscall-test", "socket-test")
-	icmd.RunCommand(dockerBinary, args...).Assert(c, icmd.Expected{
+	icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "socket-test").Assert(c, icmd.Expected{
 		ExitCode: 1,
 		Err:      "Permission denied",
 	})
 	// test that root user can drop default capability CAP_NET_BIND_SERVICE
-	args = []string{"run", "--cap-drop", "net_bind_service"}
-	if sysctlExists("net.ipv4.ip_unprivileged_port_start") {
-		args = append(args, "--sysctl", "net.ipv4.ip_unprivileged_port_start=1024")
-	}
-	args = append(args, "syscall-test", "socket-test")
-	icmd.RunCommand(dockerBinary, args...).Assert(c, icmd.Expected{
+	icmd.RunCommand(dockerBinary, "run", "--cap-drop", "net_bind_service", "syscall-test", "socket-test").Assert(c, icmd.Expected{
 		ExitCode: 1,
 		Err:      "Permission denied",
 	})
-- 
2.40.1.495.gc816e09b53d-goog