[Devel] [PATCH rh8 05/28] ve/proc/netfilter: Get rid of per-CT iptables mask
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Apr 13 11:25:15 MSK 2021
To_merge: 5388f5dc5606 ("ve/proc: restricted proc-entries scope")
https://jira.sw.ru/browse/PSBM-127787
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
net/netfilter/x_tables.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 8eb93ef854c2..c5014610d3b9 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1737,7 +1737,7 @@ int xt_proto_init(struct net *net, u_int8_t af)
struct proc_dir_entry *proc;
kuid_t root_uid;
kgid_t root_gid;
- int mode = 0440;
+ int mode;
#endif
if (af >= ARRAY_SIZE(xt_prefix))
@@ -1745,8 +1745,7 @@ int xt_proto_init(struct net *net, u_int8_t af)
#ifdef CONFIG_PROC_FS
- if (likely(net_ipt_permitted(net, VE_IP_IPTABLES)))
- mode |= S_ISVTX;
+ mode = 0440 | S_ISVTX;
root_uid = make_kuid(net->user_ns, 0);
root_gid = make_kgid(net->user_ns, 0);
--
2.28.0
More information about the Devel
mailing list