From 821362bd1e36ed021242d94e14dff330add2cbf9 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Wed, 20 Nov 2019 07:26:02 +0900
Subject: [PATCH] SafeSysctlWhitelist: add net.ipv4.ping_group_range

sysctl value `net.ipv4.ping_group_range` can be used for allowing `ping`
command without `CAP_NET_RAW` capability.

e.g. `net.ipv4.ping_group_range="0 42"` to allow ping for users with
GID 0-GID 42.

This sysctl value was introduced in kernel 3.0 and has been namespaced
since its birth.

https://github.com/torvalds/linux/commit/c319b4d76b9e583a5d88d6bf190e079c4e43213d#diff-5b536a7a92abed603bbb4caa61613270R57

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go b/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go
index cab5f59f3e7..e803ebf751c 100644
--- a/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go
+++ b/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go
@@ -34,6 +34,7 @@ func SafeSysctlWhitelist() []string {
 		"kernel.shm_rmid_forced",
 		"net.ipv4.ip_local_port_range",
 		"net.ipv4.tcp_syncookies",
+		"net.ipv4.ping_group_range",
 	}
 }