On Monday 2011-04-04 14:58, Patrick McHardy wrote: >On 01.04.2011 23:34, Maciej Åenczykowski wrote: >>> Redhat still has not given a reason as to why this is needed. >> >> I believe: >> a) the fact CLOEXEC isn't the default on new fd's is a (UNIX/POSIX) >> API bug (which of course can't be fixed...) >> b) not setting CLOEXEC on every fd is an application bug (with the >> exception of the specific few fd's you actually want inherited) >> c) iptables does occasionally fork/exec (to load modules), for >> example "/sbin/modprobe ip6_tables -q", but also for match/target >> revision compatibility checking, and when it does this it can call >> modprobe with additional opened descriptors (for example sockfd inside >> of compatible_revision isn't closed before fork/exec modprobe) - this >> is unclean, and could potentially cause security warnings (or even >> issues?) since iptables and modprobe have different contexts. >> >> [fc14]# ls -alZ `which iptables` >> lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/iptables >> -> iptables-multi >> [fc14]# ls -alZ /sbin/iptables-multi >> -rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi >> [fc14]# ls -alZ `which modprobe` >> -rwxr-xr-x. root root system_u:object_r:insmod_exec_t:s0 /sbin/modprobe >> >> I'm not going to claim I fully understand the security implications of >> leaving the file descriptor open across exec, but there is clearly no >> reason to do so, hence the patch. > >This seems reasonable to me. Jan, any further objections? > No objections, they may be merged all. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
