[Devel] [PATCH RHEL7 COMMIT] netfilter: control iptables detries visibility in CT by S_ISVTX

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jul 21 17:12:20 MSK 2017 

The commit is pushed to "branch-rh7-3.10.0-514.26.1.vz7.33.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.26.1.vz7.33.14
------>
commit 66aec84b980892b821cb09ad009546f3ebebf13f
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date:   Fri Jul 21 18:12:20 2017 +0400

    netfilter: control iptables detries visibility in CT by S_ISVTX
    
    They won't be visible in CT, if netfilted is disabled.
    
    https://jira.sw.ru/browse/PSBM-58574
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
    Reviewed-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
 net/netfilter/x_tables.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 4a351de..c93f0aa 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1639,6 +1639,7 @@ int xt_proto_init(struct net *net, u_int8_t af)
 #ifdef CONFIG_PROC_FS
 	char buf[XT_FUNCTION_MAXNAMELEN];
 	struct proc_dir_entry *proc;
+	int mode = 0440;
 #endif
 
 	if (af >= ARRAY_SIZE(xt_prefix))
@@ -1646,23 +1647,26 @@ int xt_proto_init(struct net *net, u_int8_t af)
 
 
 #ifdef CONFIG_PROC_FS
+	if (likely(net_ipt_permitted(net, VE_IP_IPTABLES)))
+		mode |= S_ISVTX;
+
 	strlcpy(buf, xt_prefix[af], sizeof(buf));
 	strlcat(buf, FORMAT_TABLES, sizeof(buf));
-	proc = proc_net_create_data(buf, 0440, net->proc_net, &xt_table_ops,
+	proc = proc_create_data(buf, mode, net->proc_net, &xt_table_ops,
 				(void *)(unsigned long)af);
 	if (!proc)
 		goto out;
 
 	strlcpy(buf, xt_prefix[af], sizeof(buf));
 	strlcat(buf, FORMAT_MATCHES, sizeof(buf));
-	proc = proc_net_create_data(buf, 0440, net->proc_net, &xt_match_ops,
+	proc = proc_create_data(buf, mode, net->proc_net, &xt_match_ops,
 				(void *)(unsigned long)af);
 	if (!proc)
 		goto out_remove_tables;
 
 	strlcpy(buf, xt_prefix[af], sizeof(buf));
 	strlcat(buf, FORMAT_TARGETS, sizeof(buf));
-	proc = proc_net_create_data(buf, 0440, net->proc_net, &xt_target_ops,
+	proc = proc_create_data(buf, mode, net->proc_net, &xt_target_ops,
 				(void *)(unsigned long)af);
 	if (!proc)
 		goto out_remove_matches;

More information about the Devel mailing list