diff options
| author | Philip Whineray <phil@firehol.org> | 2015-11-22 11:35:07 (GMT) |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-11-25 12:54:09 (GMT) |
| commit | f13f2aeed154da8e48f90b85e720f8ba39b1e881 (patch) | |
| tree | 3e7035ef8a97bcc475381fb7c5227e087e45a70a /samples/kdb | |
| parent | daaa7d647f81f3f1494d9a9029d611b666d63181 (diff) | |
| download | linux-f13f2aeed154da8e48f90b85e720f8ba39b1e881.tar.xz | |
netfilter: Set /proc/net entries owner to root in namespace
Various files are owned by root with 0440 permission. Reading them is
impossible in an unprivileged user namespace, interfering with firewall
tools. For instance, iptables-save relies on /proc/net/ip_tables_names
contents to dump only loaded tables.
This patch assigned ownership of the following files to root in the
current namespace:
- /proc/net/*_tables_names
- /proc/net/*_tables_matches
- /proc/net/*_tables_targets
- /proc/net/nf_conntrack
- /proc/net/nf_conntrack_expect
- /proc/net/netfilter/nfnetlink_log
A mapping for root must be available, so this order should be followed:
unshare(CLONE_NEWUSER);
/* Setup the mapping */
unshare(CLONE_NEWNET);
Signed-off-by: Philip Whineray <phil@firehol.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'samples/kdb')
0 files changed, 0 insertions, 0 deletions