From 90ce7627dfe824ff6e7c0ca5f96350fbcfec7118 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Mon, 22 Jul 2019 21:30:25 +0200
Subject: [PATCH] sysctl: Enable ping(8) inside rootless Podman containers

This makes ping(8) work without CAP_NET_ADMIN and CAP_NET_RAW because
those aren't effective inside rootless Podman containers.

It's quite useful when using OSTree based operating systems like Fedora
Silverblue, where development environments are often set up using
rootless Podman containers with helpers like Toolbox [1]. Not having
a basic network utility like ping(8) work inside the development
environment can be inconvenient.

See:
https://lwn.net/Articles/422330/
http://man7.org/linux/man-pages/man7/icmp.7.html
https://github.com/containers/libpod/issues/1550

The upper limit of the range of group identifiers is set to 2147483647,
which is 2^31-1. Values greater than that get rejected by the kernel
because of this definition in linux/include/net/ping.h:
  #define GID_T_MAX (((gid_t)~0U) >> 1)

That's not so bad because values between 2^31 and 2^32-1 are reserved
on systemd-based systems anyway [2].

[1] https://github.com/debarshiray/toolbox
[2] https://systemd.io/UIDS-GIDS.html#summary
---
 NEWS                     | 6 ++++++
 sysctl.d/50-default.conf | 8 ++++++++
 2 files changed, 14 insertions(+)

diff --git a/NEWS b/NEWS
index ced3b5c044..eecf26c511 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,12 @@ systemd System and Service Manager
 
 CHANGES WITH 243 in spe:
 
+        * Enable unprivileged programs, neither setuid nor having file
+          capabilities, to send ICMP Echo requests by turning on the
+          net.ipv4.ping_group_range parameter of the Linux kernel for all
+          groups. If this is not desirable, then it can be disabled by setting
+          the parameter to "1 0".
+
         * Previously, filters defined with SystemCallFilter= would have the
           effect that an calling an offending system call would terminate the
           calling thread. This behaviour never made much sense, since killing
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index 27084f6242..f0b4f610f8 100644
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -30,6 +30,14 @@ net.ipv4.conf.all.accept_source_route = 0
 # Promote secondary addresses when the primary address is removed
 net.ipv4.conf.all.promote_secondaries = 1
 
+# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
+# The upper limit is set to 2^31-1. Values greater than that get rejected by
+# the kernel because of this definition in linux/include/net/ping.h:
+#   #define GID_T_MAX (((gid_t)~0U) >> 1)
+# That's not so bad because values between 2^31 and 2^32-1 are reserved on
+# systemd-based systems anyway: https://systemd.io/UIDS-GIDS.html#summary
+net.ipv4.ping_group_range = 0 2147483647
+
 # Fair Queue CoDel packet scheduler to fight bufferbloat
 net.core.default_qdisc = fq_codel