From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Philip Whineray <phil@firehol.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] Expose x_tables /proc entries as 0444 not 0440
Date: Wed, 11 Nov 2015 17:50:26 +0100 [thread overview]
Message-ID: <20151111165026.GA20549@salvia> (raw)
In-Reply-To: <20151107074939.GA4003@compaq.slightly-cracked.com>
On Sat, Nov 07, 2015 at 07:49:39AM +0000, Philip Whineray wrote:
> Reading these files is impossible in an unprivileged user namespace,
> interfering with various firewall tools. For instance, iptables-save
> relies on reading /proc/net/ip_tables_names to dump only loaded tables.
>
> Hiding the contents from non-root users does not achieve anything
> practical. Possible values are well-known and the specifics can
> be inferred from a list of loaded modules on most systems.
>
> Signed-off-by: Philip Whineray <phil@firehol.org>
> ---
> An alternate might be to change the ownership of the files within the
> namespace when it is created:
>
> https://lists.linuxcontainers.org/pipermail/lxc-users/2014-November/008110.html
>
> I do not see that there is much advantage to this, it just ties the
> ability to read the files to the ability to create an unprivileged
> namespace.
So I understood this correctly, this approach would set the ownership
of the /proc entry to the corresponding root uid mapping from the
unpriviledged namespace, right? If so, I would prefer that approach.
This is partially leaking the filtering policy to non-root users as it
contains what modules are being used, so you can at least infer how
complex your ruleset is.
And I guess it will not be long time until someone else will follow up
with a similar patch later on to expose the content of
/proc/net/nf_conntrack to get this working on unpriviledged namespaces
too.
Thanks.
next prev parent reply other threads:[~2015-11-11 16:50 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-07 7:49 [PATCH] Expose x_tables /proc entries as 0444 not 0440 Philip Whineray
2015-11-11 16:50 ` Pablo Neira Ayuso [this message]
2015-11-11 18:25 ` Jozsef Kadlecsik
2015-11-11 18:40 ` Florian Westphal
2015-11-11 18:48 ` Jan Engelhardt
2015-11-11 19:35 ` Phil Whineray
2015-11-11 20:10 ` Jozsef Kadlecsik
2015-11-11 21:20 ` Phil Whineray
2015-11-14 9:12 ` [PATCH v2] Root in namespace owns x_tables /proc entries Philip Whineray
2015-11-15 18:53 ` Jozsef Kadlecsik
2015-11-16 11:56 ` Pablo Neira Ayuso
2015-11-16 12:57 ` Phil Whineray
2015-11-16 22:03 ` Eric W. Biederman
2015-11-16 21:56 ` Eric W. Biederman
2015-11-18 7:37 ` Phil Whineray
2015-11-18 9:13 ` Eric W. Biederman
2015-11-18 18:39 ` Phil Whineray
2015-11-22 11:35 ` [PATCH v3] Set /proc/net entries owner to root in namespace Philip Whineray
2015-11-25 12:55 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151111165026.GA20549@salvia \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@firehol.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).