[Devel] [PATCH rh7 2/2] Revert "net: Show all connections in init namespace"

Kirill Tkhai ktkhai at virtuozzo.com
Mon Apr 27 11:23:13 MSK 2020 

On 24.04.2020 20:10, Konstantin Khorenko wrote:
> This reverts commit 201b85da71d3350f0228c6a35cf62e7b17efd9bb.
> 
> Long ago in https://bugs.openvz.org/browse/OVZ-5192
> we've allowed host to see Container's connections,
> which is against usual net namespaces rules.
> 
> In vz7 de facto host never was allowed to see Contaners' connections:
> * first - due to a bug https://bugs.openvz.org/browse/OVZ-6600
> * later due to a fix
>   b6c0f8cf6332f ("ve/net: Exclude foreign CT sockets from
>   /proc/net/tcp{,6}")
> 
> As we consider the current behavior correct (a namespace should not leak
> info to other namespaces), let's drop patches which intended to provide
> this functionality.
> 
> If one wants to check all connections from host, he can use
> "ip -all netns exec netstat -n" to get info about Container's root net
> namespaces.
> The latter command shows all netns which were create via "ip" utility.
> 
> If he wants to be more precise and want to check really ALL net
> namespaces, it's enough to iterate over all net namespaces via
> "nsenter -t $PROC_PID -n netstat -n".
> 
> https://bugs.openvz.org/browse/OVZ-7202
> 
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>

Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>

> ---
>  include/net/net_namespace.h | 10 ----------
>  net/ipv4/raw.c              |  4 ++--
>  net/ipv4/tcp_ipv4.c         |  7 +++----
>  net/ipv4/udp.c              |  4 ++--
>  4 files changed, 7 insertions(+), 18 deletions(-)
> 
> diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
> index 2edad00362601..e40d8f6e0b392 100644
> --- a/include/net/net_namespace.h
> +++ b/include/net/net_namespace.h
> @@ -281,11 +281,6 @@ int net_eq(const struct net *net1, const struct net *net2)
>  
>  extern void net_drop_ns(void *);
>  
> -/* Returns whether curr can mess with net's objects */
> -static inline int net_access_allowed(const struct net *net, const struct net *curr)
> -{
> -	return net_eq(curr, &init_net) || net_eq(curr, net);
> -}
>  #else
>  
>  static inline struct net *get_net(struct net *net)
> @@ -309,11 +304,6 @@ int net_eq(const struct net *net1, const struct net *net2)
>  }
>  
>  #define net_drop_ns NULL
> -
> -static inline int net_access_allowed(const struct net *net, const struct net *curr)
> -{
> -	return 1;
> -}
>  #endif
>  
>  
> diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
> index 66fbfaac02afb..ae897dd78623c 100644
> --- a/net/ipv4/raw.c
> +++ b/net/ipv4/raw.c
> @@ -922,7 +922,7 @@ static struct sock *raw_get_first(struct seq_file *seq)
>  	for (state->bucket = 0; state->bucket < RAW_HTABLE_SIZE;
>  			++state->bucket) {
>  		sk_for_each(sk, &state->h->ht[state->bucket])
> -			if (net_access_allowed(sock_net(sk), seq_file_net(seq)))
> +			if (sock_net(sk) == seq_file_net(seq))
>  				goto found;
>  	}
>  	sk = NULL;
> @@ -938,7 +938,7 @@ static struct sock *raw_get_next(struct seq_file *seq, struct sock *sk)
>  		sk = sk_next(sk);
>  try_again:
>  		;
> -	} while (sk && !net_access_allowed(sock_net(sk), seq_file_net(seq)));
> +	} while (sk && sock_net(sk) != seq_file_net(seq));
>  
>  	if (!sk && ++state->bucket < RAW_HTABLE_SIZE) {
>  		sk = sk_head(&state->h->ht[state->bucket]);
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 0417acc78e73b..f788d27369abe 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -1980,7 +1980,7 @@ static void *listening_get_next(struct seq_file *seq, void *cur)
>  	}
>  get_sk:
>  	sk_nulls_for_each_from(sk, node) {
> -		if (!net_access_allowed(sock_net(sk), net))
> +		if (!net_eq(sock_net(sk), net))
>  			continue;
>  		if (sk->sk_family == st->family) {
>  			cur = sk;
> @@ -2055,7 +2055,7 @@ static void *established_get_first(struct seq_file *seq)
>  		spin_lock_bh(lock);
>  		sk_nulls_for_each(sk, node, &tcp_hashinfo.ehash[st->bucket].chain) {
>  			if (sk->sk_family != st->family ||
> -			    !net_access_allowed(sock_net(sk), net)) {
> +			    !net_eq(sock_net(sk), net)) {
>  				continue;
>  			}
>  			rc = sk;
> @@ -2080,8 +2080,7 @@ static void *established_get_next(struct seq_file *seq, void *cur)
>  	sk = sk_nulls_next(sk);
>  
>  	sk_nulls_for_each_from(sk, node) {
> -		if (sk->sk_family == st->family &&
> -		    net_access_allowed(sock_net(sk), net))
> +		if (sk->sk_family == st->family && net_eq(sock_net(sk), net))
>  			return sk;
>  	}
>  
> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> index 2e622f13f4dce..b581c7dc1661c 100644
> --- a/net/ipv4/udp.c
> +++ b/net/ipv4/udp.c
> @@ -2465,7 +2465,7 @@ static struct sock *udp_get_first(struct seq_file *seq, int start)
>  
>  		spin_lock_bh(&hslot->lock);
>  		sk_for_each(sk, &hslot->head) {
> -			if (!net_access_allowed(sock_net(sk), net))
> +			if (!net_eq(sock_net(sk), net))
>  				continue;
>  			if (sk->sk_family == state->family)
>  				goto found;
> @@ -2484,7 +2484,7 @@ static struct sock *udp_get_next(struct seq_file *seq, struct sock *sk)
>  
>  	do {
>  		sk = sk_next(sk);
> -	} while (sk && (!net_access_allowed(sock_net(sk), net) || sk->sk_family != state->family));
> +	} while (sk && (!net_eq(sock_net(sk), net) || sk->sk_family != state->family));
>  
>  	if (!sk) {
>  		if (state->bucket <= state->udp_table->mask)
>

More information about the Devel mailing list