[Devel] [PATCH rh7 2/2] Revert "net: Show all connections in init namespace"

Konstantin Khorenko khorenko at virtuozzo.com
Fri Apr 24 20:10:28 MSK 2020 

This reverts commit 201b85da71d3350f0228c6a35cf62e7b17efd9bb.

Long ago in https://bugs.openvz.org/browse/OVZ-5192
we've allowed host to see Container's connections,
which is against usual net namespaces rules.

In vz7 de facto host never was allowed to see Contaners' connections:
* first - due to a bug https://bugs.openvz.org/browse/OVZ-6600
* later due to a fix
  b6c0f8cf6332f ("ve/net: Exclude foreign CT sockets from
  /proc/net/tcp{,6}")

As we consider the current behavior correct (a namespace should not leak
info to other namespaces), let's drop patches which intended to provide
this functionality.

If one wants to check all connections from host, he can use
"ip -all netns exec netstat -n" to get info about Container's root net
namespaces.
The latter command shows all netns which were create via "ip" utility.

If he wants to be more precise and want to check really ALL net
namespaces, it's enough to iterate over all net namespaces via
"nsenter -t $PROC_PID -n netstat -n".

https://bugs.openvz.org/browse/OVZ-7202

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 include/net/net_namespace.h | 10 ----------
 net/ipv4/raw.c              |  4 ++--
 net/ipv4/tcp_ipv4.c         |  7 +++----
 net/ipv4/udp.c              |  4 ++--
 4 files changed, 7 insertions(+), 18 deletions(-)

diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 2edad00362601..e40d8f6e0b392 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -281,11 +281,6 @@ int net_eq(const struct net *net1, const struct net *net2)
 
 extern void net_drop_ns(void *);
 
-/* Returns whether curr can mess with net's objects */
-static inline int net_access_allowed(const struct net *net, const struct net *curr)
-{
-	return net_eq(curr, &init_net) || net_eq(curr, net);
-}
 #else
 
 static inline struct net *get_net(struct net *net)
@@ -309,11 +304,6 @@ int net_eq(const struct net *net1, const struct net *net2)
 }
 
 #define net_drop_ns NULL
-
-static inline int net_access_allowed(const struct net *net, const struct net *curr)
-{
-	return 1;
-}
 #endif
 
 
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 66fbfaac02afb..ae897dd78623c 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -922,7 +922,7 @@ static struct sock *raw_get_first(struct seq_file *seq)
 	for (state->bucket = 0; state->bucket < RAW_HTABLE_SIZE;
 			++state->bucket) {
 		sk_for_each(sk, &state->h->ht[state->bucket])
-			if (net_access_allowed(sock_net(sk), seq_file_net(seq)))
+			if (sock_net(sk) == seq_file_net(seq))
 				goto found;
 	}
 	sk = NULL;
@@ -938,7 +938,7 @@ static struct sock *raw_get_next(struct seq_file *seq, struct sock *sk)
 		sk = sk_next(sk);
 try_again:
 		;
-	} while (sk && !net_access_allowed(sock_net(sk), seq_file_net(seq)));
+	} while (sk && sock_net(sk) != seq_file_net(seq));
 
 	if (!sk && ++state->bucket < RAW_HTABLE_SIZE) {
 		sk = sk_head(&state->h->ht[state->bucket]);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 0417acc78e73b..f788d27369abe 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1980,7 +1980,7 @@ static void *listening_get_next(struct seq_file *seq, void *cur)
 	}
 get_sk:
 	sk_nulls_for_each_from(sk, node) {
-		if (!net_access_allowed(sock_net(sk), net))
+		if (!net_eq(sock_net(sk), net))
 			continue;
 		if (sk->sk_family == st->family) {
 			cur = sk;
@@ -2055,7 +2055,7 @@ static void *established_get_first(struct seq_file *seq)
 		spin_lock_bh(lock);
 		sk_nulls_for_each(sk, node, &tcp_hashinfo.ehash[st->bucket].chain) {
 			if (sk->sk_family != st->family ||
-			    !net_access_allowed(sock_net(sk), net)) {
+			    !net_eq(sock_net(sk), net)) {
 				continue;
 			}
 			rc = sk;
@@ -2080,8 +2080,7 @@ static void *established_get_next(struct seq_file *seq, void *cur)
 	sk = sk_nulls_next(sk);
 
 	sk_nulls_for_each_from(sk, node) {
-		if (sk->sk_family == st->family &&
-		    net_access_allowed(sock_net(sk), net))
+		if (sk->sk_family == st->family && net_eq(sock_net(sk), net))
 			return sk;
 	}
 
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 2e622f13f4dce..b581c7dc1661c 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2465,7 +2465,7 @@ static struct sock *udp_get_first(struct seq_file *seq, int start)
 
 		spin_lock_bh(&hslot->lock);
 		sk_for_each(sk, &hslot->head) {
-			if (!net_access_allowed(sock_net(sk), net))
+			if (!net_eq(sock_net(sk), net))
 				continue;
 			if (sk->sk_family == state->family)
 				goto found;
@@ -2484,7 +2484,7 @@ static struct sock *udp_get_next(struct seq_file *seq, struct sock *sk)
 
 	do {
 		sk = sk_next(sk);
-	} while (sk && (!net_access_allowed(sock_net(sk), net) || sk->sk_family != state->family));
+	} while (sk && (!net_eq(sock_net(sk), net) || sk->sk_family != state->family));
 
 	if (!sk) {
 		if (state->bucket <= state->udp_table->mask)
-- 
2.15.1

More information about the Devel mailing list