git.baikalelectronics.ru Git - kernel.git/commit

author	Philip Whineray <phil@firehol.org>
	Sun, 22 Nov 2015 11:35:07 +0000 (11:35 +0000)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 25 Nov 2015 12:54:09 +0000 (13:54 +0100)
commit	5c2faf138e70218b6a1bec5eccb0f61207f5e276
tree	3e7035ef8a97bcc475381fb7c5227e087e45a70a	tree \| snapshot
parent	56157d41731eb5c35fa8237e94e3f20220f4f7f4	commit \| diff

netfilter: Set /proc/net entries owner to root in namespace

Various files are owned by root with 0440 permission. Reading them is
impossible in an unprivileged user namespace, interfering with firewall
tools. For instance, iptables-save relies on /proc/net/ip_tables_names
contents to dump only loaded tables.

This patch assigned ownership of the following files to root in the
current namespace:

- /proc/net/*_tables_names
- /proc/net/*_tables_matches
- /proc/net/*_tables_targets
- /proc/net/nf_conntrack
- /proc/net/nf_conntrack_expect
- /proc/net/netfilter/nfnetlink_log

A mapping for root must be available, so this order should be followed:

unshare(CLONE_NEWUSER);
/* Setup the mapping */
unshare(CLONE_NEWNET);

Signed-off-by: Philip Whineray <phil@firehol.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/netfilter/nf_conntrack_expect.c		diff \| blob \| history
net/netfilter/nf_conntrack_standalone.c		diff \| blob \| history
net/netfilter/nfnetlink_log.c		diff \| blob \| history
net/netfilter/x_tables.c		diff \| blob \| history