[PATCH v1 2/2] Show /proc/self/net only for CAP_NET_ADMIN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Show /proc/self/net only for CAP_NET_ADMIN if procfs is mounted with
subset=pid option in user namespace. This is done to avoid possible
information leakage.

Signed-off-by: Alexey Gladkov <gladkov.alexey@xxxxxxxxx>
---
 fs/proc/proc_net.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
index dba63b2429f0..11fa2c4b3529 100644
--- a/fs/proc/proc_net.c
+++ b/fs/proc/proc_net.c
@@ -275,6 +275,12 @@ static struct net *get_proc_task_net(struct inode *dir)
 	struct task_struct *task;
 	struct nsproxy *ns;
 	struct net *net = NULL;
+	struct proc_fs_info *fs_info = proc_sb_info(dir->i_sb);
+
+	if ((fs_info->pidonly == PROC_PIDONLY_ON) &&
+	    (current_user_ns() != &init_user_ns) &&
+	    !capable(CAP_NET_ADMIN))
+		return net;
 
 	rcu_read_lock();
 	task = pid_task(proc_pid(dir), PIDTYPE_PID);
-- 
2.25.4
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux