Reading these files is impossible in an unprivileged user namespace, interfering with various firewall tools. For instance, iptables-save relies on reading /proc/net/ip_tables_names to dump only loaded tables. Hiding the contents from non-root users does not achieve anything practical. Possible values are well-known and the specifics can be inferred from a list of loaded modules on most systems. Signed-off-by: Philip Whineray <phil@xxxxxxxxxxx> --- An alternate might be to change the ownership of the files within the namespace when it is created: https://lists.linuxcontainers.org/pipermail/lxc-users/2014-November/008110.html I do not see that there is much advantage to this, it just ties the ability to read the files to the ability to create an unprivileged namespace. net/netfilter/x_tables.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 9b42b5e..c05adde 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -1236,21 +1236,21 @@ int xt_proto_init(struct net *net, u_int8_t af) #ifdef CONFIG_PROC_FS strlcpy(buf, xt_prefix[af], sizeof(buf)); strlcat(buf, FORMAT_TABLES, sizeof(buf)); - proc = proc_create_data(buf, 0440, net->proc_net, &xt_table_ops, + proc = proc_create_data(buf, 0444, net->proc_net, &xt_table_ops, (void *)(unsigned long)af); if (!proc) goto out; strlcpy(buf, xt_prefix[af], sizeof(buf)); strlcat(buf, FORMAT_MATCHES, sizeof(buf)); - proc = proc_create_data(buf, 0440, net->proc_net, &xt_match_ops, + proc = proc_create_data(buf, 0444, net->proc_net, &xt_match_ops, (void *)(unsigned long)af); if (!proc) goto out_remove_tables; strlcpy(buf, xt_prefix[af], sizeof(buf)); strlcat(buf, FORMAT_TARGETS, sizeof(buf)); - proc = proc_create_data(buf, 0440, net->proc_net, &xt_target_ops, + proc = proc_create_data(buf, 0444, net->proc_net, &xt_target_ops, (void *)(unsigned long)af); if (!proc) goto out_remove_matches; -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
