On Sun, Sep 18, 2016 at 09:40:55PM +0200, Jann Horn wrote: > nf_log_proc_dostring() used current's network namespace instead of the one > corresponding to the sysctl file the write was performed on. Because the > permission check happens at open time and the nf_log files in namespaces > are accessible for the namespace owner, this can be abused by an > unprivileged user to effectively write to the init namespace's nf_log > sysctls. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
