DevHeads.net

Fedora 31 Self-Contained Change proposal: Enable net.ipv4.ping_group_range in the kernel

<a href="https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange" title="https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange">https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange</a>

(Note this change proposal was originally submitted before the
deadline, but was delayed due to some discussion between the change
owner and change wrangler)

== Summary ==
Enable the Linux kernel's <code>net.ipv4.ping_group_range</code>
parameter to cover all groups.

== Owner ==
* Name: [[User:rishi|Debarshi Ray]]
* Email: <a href="mailto: ... at redhat dot com"> ... at redhat dot com</a>

== Detailed Description ==
Enable the Linux kernel's <code>net.ipv4.ping_group_range</code>
parameter to cover all groups. This will let all users on the
operating system create ICMP Echo sockets without using setuid
binaries, or having the <code>CAP_NET_ADMIN</code> and
<code>CAP_NET_RAW</code> file capabilities.

== Benefit to Fedora ==
This makes <code>ping</code> work inside rootless [https://podman.io/
Podman] containers. Currently it doesn't.

When the Linux kernel's <code>net.ipv4.ping_group_range</code>
parameter is enabled for a group, users in that group can send ICMP
Echo packets without using setuid binaries, or having the
<code>CAP_NET_ADMIN</code> and <code>CAP_NET_RAW</code> file
capabilities. This works by using
[http://man7.org/linux/man-pages/man7/icmp.7.html ICMP Echo] sockets
instead of the more generic, and easier to abuse,
[http://man7.org/linux/man-pages/man7/raw.7.html raw] sockets. For
Fedora, this means that the file capabilities can be removed from the
<code>ping</code> binary.

This is good for OSTree based Fedora variants like Silverblue, where
development environments are often set up using rootless Podman
containers with helpers like [https://github.com/debarshiray/toolbox
Toolbox]. At present, <code>ping</code> doesn't work in those
environments, and it's inconvenient to not be able to use such a basic
network utility inside a development set-up.

== Scope ==
* Proposal owners: Enable <code>net.ipv4.ping_group_range</code> by
adding it to one of the files shipped by the sytemd RPM in
<code>/usr/lib/sysctl.d</code> or by creating a new file shipped by
the podman or toolbox RPMs.
[https://github.com/systemd/systemd/pull/13141 Here] is an upstream
pull request against systemd.
* Other developers: Once this change is in place, the file
capabilities should be removed from the <code>ping</code> binary
because they would no longer be necessary. However, it's not a
requirement for implementing this change.
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==
Systems with a previous version of Fedora won't need manual
intervention. They will inherit this change when updated.

== How To Test ==
On a Fedora system containing this change, the following commands should work:
<pre>
$ podman run -it --rm registry.fedoraproject.org/fedora:latest
...
# dnf -y install iputils
...
# ping fedoraproject.org
...
</pre>

== User Experience ==
Users of rootless Podman, including those developing on Silverblue
inside Toolbox containers, would now be able to use <code>ping</code>.
Earlier, they weren't able to.

== Dependencies ==
N/A (not needed for this Change)

== Contingency Plan ==
* Contingency mechanism: If <code>net.ipv4.ping_group_range</code>
isn't enabled then status quo will be maintained. No explicit action
needs to be taken. Note that the <code>ping</code> binary should not
be touched until this change is complete. Only then should be the file
capabilities removed.
* Contingency deadline: N/A (not needed for this Change)
* Blocks release? No
* Blocks product? No

== Documentation ==
There's no upstream documentation. There's some discussion on
[https://github.com/systemd/systemd/pull/13141 this] systemd pull
request.