CVE-2021-47010

In the Linux kernel, the following vulnerability has been resolved: net:
Only allow init netns to set default tcp cong to a restricted algo
tcp_set_default_congestion_control() is netns-safe in that it writes to
&net->ipv4.tcp_congestion_control, but it also sets ca->flags |=
TCP_CONG_NON_RESTRICTED which is not namespaced. This has the unintended
side-effect of changing the global net.ipv4.tcp_allowed_congestion_control
sysctl, despite the fact that it is read-only: 97684f0970f6 (“net: Make
tcp_allowed_congestion_control readonly in non-init netns”) Resolve this
netns “leak” by only allowing the init netns to set the default algorithm
to one that is restricted. This restriction could be removed if
tcp_allowed_congestion_control were namespace-ified in the future. This bug
was uncovered with
https://github.com/JonathonReinhart/linux-netns-sysctl-verify