From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Philip Whineray <phil@firehol.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] Expose x_tables /proc entries as 0444 not 0440
Date: Wed, 11 Nov 2015 17:50:26 +0100 [thread overview]
Message-ID: <20151111165026.GA20549@salvia> (raw)
In-Reply-To: <20151107074939.GA4003@compaq.slightly-cracked.com>
On Sat, Nov 07, 2015 at 07:49:39AM +0000, Philip Whineray wrote:
> Reading these files is impossible in an unprivileged user namespace,
> interfering with various firewall tools. For instance, iptables-save
> relies on reading /proc/net/ip_tables_names to dump only loaded tables.
>
> Hiding the contents from non-root users does not achieve anything
> practical. Possible values are well-known and the specifics can
> be inferred from a list of loaded modules on most systems.
>
> Signed-off-by: Philip Whineray <phil@firehol.org>
> ---
> An alternate might be to change the ownership of the files within the
> namespace when it is created:
>
> https://lists.linuxcontainers.org/pipermail/lxc-users/2014-November/008110.html
>
> I do not see that there is much advantage to this, it just ties the
> ability to read the files to the ability to create an unprivileged
> namespace.
So I understood this correctly, this approach would set the ownership
of the /proc entry to the corresponding root uid mapping from the
unpriviledged namespace, right? If so, I would prefer that approach.
This is partially leaking the filtering policy to non-root users as it
contains what modules are being used, so you can at least infer how
complex your ruleset is.
And I guess it will not be long time until someone else will follow up
with a similar patch later on to expose the content of
/proc/net/nf_conntrack to get this working on unpriviledged namespaces
too.
Thanks.
next prev parent reply other threads:[~2015-11-11 16:50 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-07 7:49 [PATCH] Expose x_tables /proc entries as 0444 not 0440 Philip Whineray
2015-11-11 16:50 ` Pablo Neira Ayuso [this message]
2015-11-11 18:25 ` Jozsef Kadlecsik
2015-11-11 18:40 ` Florian Westphal
2015-11-11 18:48 ` Jan Engelhardt
2015-11-11 19:35 ` Phil Whineray
2015-11-11 20:10 ` Jozsef Kadlecsik
2015-11-11 21:20 ` Phil Whineray
2015-11-14 9:12 ` [PATCH v2] Root in namespace owns x_tables /proc entries Philip Whineray
2015-11-15 18:53 ` Jozsef Kadlecsik
2015-11-16 11:56 ` Pablo Neira Ayuso
2015-11-16 12:57 ` Phil Whineray
2015-11-16 22:03 ` Eric W. Biederman
2015-11-16 21:56 ` Eric W. Biederman
2015-11-18 7:37 ` Phil Whineray
2015-11-18 9:13 ` Eric W. Biederman
2015-11-18 18:39 ` Phil Whineray
2015-11-22 11:35 ` [PATCH v3] Set /proc/net entries owner to root in namespace Philip Whineray
2015-11-25 12:55 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151111165026.GA20549@salvia \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@firehol.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.