On 01.04.2011 23:34, Maciej Åenczykowski wrote: >> Redhat still has not given a reason as to why this is needed. > > I believe: > a) the fact CLOEXEC isn't the default on new fd's is a (UNIX/POSIX) > API bug (which of course can't be fixed...) > b) not setting CLOEXEC on every fd is an application bug (with the > exception of the specific few fd's you actually want inherited) > c) iptables does occasionally fork/exec (to load modules), for > example "/sbin/modprobe ip6_tables -q", but also for match/target > revision compatibility checking, and when it does this it can call > modprobe with additional opened descriptors (for example sockfd inside > of compatible_revision isn't closed before fork/exec modprobe) - this > is unclean, and could potentially cause security warnings (or even > issues?) since iptables and modprobe have different contexts. > > [fc14]# ls -alZ `which iptables` > lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/iptables > -> iptables-multi > [fc14]# ls -alZ /sbin/iptables-multi > -rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi > [fc14]# ls -alZ `which modprobe` > -rwxr-xr-x. root root system_u:object_r:insmod_exec_t:s0 /sbin/modprobe > > I'm not going to claim I fully understand the security implications of > leaving the file descriptor open across exec, but there is clearly no > reason to do so, hence the patch. This seems reasonable to me. Jan, any further objections? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
