git.cascardo.info Git - cascardo/linux.git/commit

author	Philip Whineray <phil@firehol.org>
	Sun, 22 Nov 2015 11:35:07 +0000 (11:35 +0000)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 25 Nov 2015 12:54:09 +0000 (13:54 +0100)
commit	f13f2aeed154da8e48f90b85e720f8ba39b1e881
tree	3e7035ef8a97bcc475381fb7c5227e087e45a70a	tree \| snapshot
parent	daaa7d647f81f3f1494d9a9029d611b666d63181	commit \| diff

netfilter: Set /proc/net entries owner to root in namespace

Various files are owned by root with 0440 permission. Reading them is
impossible in an unprivileged user namespace, interfering with firewall
tools. For instance, iptables-save relies on /proc/net/ip_tables_names
contents to dump only loaded tables.

This patch assigned ownership of the following files to root in the
current namespace:

- /proc/net/*_tables_names
- /proc/net/*_tables_matches
- /proc/net/*_tables_targets
- /proc/net/nf_conntrack
- /proc/net/nf_conntrack_expect
- /proc/net/netfilter/nfnetlink_log

A mapping for root must be available, so this order should be followed:

unshare(CLONE_NEWUSER);
/* Setup the mapping */
unshare(CLONE_NEWNET);

Signed-off-by: Philip Whineray <phil@firehol.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/netfilter/nf_conntrack_expect.c		diff \| blob \| history
net/netfilter/nf_conntrack_standalone.c		diff \| blob \| history
net/netfilter/nfnetlink_log.c		diff \| blob \| history
net/netfilter/x_tables.c		diff \| blob \| history