On Sun, Nov 15, 2015 at 07:53:53PM +0100, Jozsef Kadlecsik wrote: > Hi Philip, > > On Sat, 14 Nov 2015, Philip Whineray wrote: > > > Since it's in danger of getting quite complicate, would one or more of > > the following be acceptable? > > > > - Choose permission in a module parameter > > > > - Allow setting with sysctl e.g. net.netfilter.conf.xtable_proc_perms > > > > - Match permissions of /proc/modules (grsec restricts these so we will > > gain the same policy). > > In my opinion either one is good and I'd pick the sysctl setting. That way > the permissions could be changed without reloading the module and > independently of the permissions of /proc/modules. I'd rather not to have a sysctl for this thing. I suspect it will not take long until someone else will follow up with a similar patch /proc/net/nf_conntrack. What is the plan of namespace people for unprivileged namespaces with non-world readable /proc entries? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
