From 6247d1c3f73bab8fccd7b0d608d1a0aaf07fecdb Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Mon, 20 Jun 2022 10:08:26 +0200
Subject: executor: fix enabling of ICMP/ping sockets

net/ipv4/ping_group_range sysctl grants access to ICMP sockets
to the specified user groups. But it needs to be set inside
of the net namespace (it's per-namespace).
We were setting it but in the init namespace only (which we don't use).
Set it after CLONE_NEWNET. This repairs testing of ICMP sockets.

Note: don't set it for setuid sandbox since it's "low privilege".
---
 sys/linux/test/ping | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 sys/linux/test/ping

(limited to 'sys')

diff --git a/sys/linux/test/ping b/sys/linux/test/ping
new file mode 100644
index 000000000..631bd958e
--- /dev/null
+++ b/sys/linux/test/ping
@@ -0,0 +1,2 @@
+r0 = socket$inet_icmp(AUTO, AUTO, AUTO)
+close(r0)
-- 
cgit mrf-deployment