On Sun, Nov 22, 2015 at 11:35:07AM +0000, Philip Whineray wrote: > Various files are owned by root with 0440 permission. Reading them is > impossible in an unprivileged user namespace, interfering with firewall > tools. For instance, iptables-save relies on /proc/net/ip_tables_names > contents to dump only loaded tables. > > This patch assigned ownership of the following files to root in the > current namespace: > > - /proc/net/*_tables_names > - /proc/net/*_tables_matches > - /proc/net/*_tables_targets > - /proc/net/nf_conntrack > - /proc/net/nf_conntrack_expect > - /proc/net/netfilter/nfnetlink_log > > A mapping for root must be available, so this order should be followed: > > unshare(CLONE_NEWUSER); > /* Setup the mapping */ > unshare(CLONE_NEWNET); Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
