On Mon, Nov 16, 2015 at 12:56:59PM +0100, Pablo Neira Ayuso wrote:
> On Sun, Nov 15, 2015 at 07:53:53PM +0100, Jozsef Kadlecsik wrote:
> > Hi Philip,
> >
> > On Sat, 14 Nov 2015, Philip Whineray wrote:
> >
> > > Since it's in danger of getting quite complicate, would one or more of
> > > the following be acceptable?
> > >
> > > - Choose permission in a module parameter
> > >
> > > - Allow setting with sysctl e.g. net.netfilter.conf.xtable_proc_perms
> > >
> > > - Match permissions of /proc/modules (grsec restricts these so we will
> > > gain the same policy).
> >
> > In my opinion either one is good and I'd pick the sysctl setting. That way
> > the permissions could be changed without reloading the module and
> > independently of the permissions of /proc/modules.
>
> I'd rather not to have a sysctl for this thing.
>
> I suspect it will not take long until someone else will follow up with
> a similar patch /proc/net/nf_conntrack.
That may be true. The two are not equivalent though: the nf_conntrack
information is per-namespace (so setting owner to root in the current
namespace would certainly be sensible), whereas the information in
ip_tables_names is global and directly relates to modules loaded.
> What is the plan of namespace people for unprivileged namespaces with
> non-world readable /proc entries?
It may not have come up as an issue: a quick survey on my systems suggests
pretty much only only netfilter creates files which are group readable but
not world readable:
$ sudo find /proc/ -perm /g=r -a \! -perm /o=r | sed \
's:proc/[0-9]*/:proc/0/:' | sort -u | less
/proc/0/net/ip6_tables_matches
/proc/0/net/ip6_tables_names
/proc/0/net/ip6_tables_targets
/proc/0/net/ip_tables_matches
/proc/0/net/ip_tables_names
/proc/0/net/ip_tables_targets
/proc/0/net/netfilter/nfnetlink_log
/proc/0/net/nf_conntrack
/proc/0/net/nf_conntrack_expect
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
