[Devel] [PATCH RHEL7 COMMIT] Revert "net: Show all connections in init namespace"
Konstantin Khorenko
khorenko at virtuozzo.com
Mon Apr 27 13:46:51 MSK 2020
The commit is pushed to "branch-rh7-3.10.0-1127.vz7.150.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.vz7.150.4
------>
commit 2cc4faed9fad8deef24f896298ad199bc8fea4af
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date: Fri Apr 24 19:52:20 2020 +0300
Revert "net: Show all connections in init namespace"
This reverts commit 201b85da71d3350f0228c6a35cf62e7b17efd9bb.
Long ago in https://bugs.openvz.org/browse/OVZ-5192
we've allowed host to see Container's connections,
which is against usual net namespaces rules.
In vz7 de facto host never was allowed to see Contaners' connections:
* first - due to a bug https://bugs.openvz.org/browse/OVZ-6600
* later due to a fix
b6c0f8cf6332f ("ve/net: Exclude foreign CT sockets from
/proc/net/tcp{,6}")
As we consider the current behavior correct (a namespace should not leak
info to other namespaces), let's drop patches which intended to provide
this functionality.
If one wants to check all connections from host, he can use
"ip -all netns exec netstat -n" to get info about Container's root net
namespaces.
The latter command shows all netns which were create via "ip" utility.
If he wants to be more precise and want to check really ALL net
namespaces, it's enough to iterate over all net namespaces via
"nsenter -t $PROC_PID -n netstat -n".
https://bugs.openvz.org/browse/OVZ-7202
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
include/net/net_namespace.h | 10 ----------
net/ipv4/raw.c | 4 ++--
net/ipv4/tcp_ipv4.c | 7 +++----
net/ipv4/udp.c | 4 ++--
4 files changed, 7 insertions(+), 18 deletions(-)
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 2edad00362601..e40d8f6e0b392 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -281,11 +281,6 @@ int net_eq(const struct net *net1, const struct net *net2)
extern void net_drop_ns(void *);
-/* Returns whether curr can mess with net's objects */
-static inline int net_access_allowed(const struct net *net, const struct net *curr)
-{
- return net_eq(curr, &init_net) || net_eq(curr, net);
-}
#else
static inline struct net *get_net(struct net *net)
@@ -309,11 +304,6 @@ int net_eq(const struct net *net1, const struct net *net2)
}
#define net_drop_ns NULL
-
-static inline int net_access_allowed(const struct net *net, const struct net *curr)
-{
- return 1;
-}
#endif
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 66fbfaac02afb..ae897dd78623c 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -922,7 +922,7 @@ static struct sock *raw_get_first(struct seq_file *seq)
for (state->bucket = 0; state->bucket < RAW_HTABLE_SIZE;
++state->bucket) {
sk_for_each(sk, &state->h->ht[state->bucket])
- if (net_access_allowed(sock_net(sk), seq_file_net(seq)))
+ if (sock_net(sk) == seq_file_net(seq))
goto found;
}
sk = NULL;
@@ -938,7 +938,7 @@ static struct sock *raw_get_next(struct seq_file *seq, struct sock *sk)
sk = sk_next(sk);
try_again:
;
- } while (sk && !net_access_allowed(sock_net(sk), seq_file_net(seq)));
+ } while (sk && sock_net(sk) != seq_file_net(seq));
if (!sk && ++state->bucket < RAW_HTABLE_SIZE) {
sk = sk_head(&state->h->ht[state->bucket]);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 0417acc78e73b..f788d27369abe 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1980,7 +1980,7 @@ static void *listening_get_next(struct seq_file *seq, void *cur)
}
get_sk:
sk_nulls_for_each_from(sk, node) {
- if (!net_access_allowed(sock_net(sk), net))
+ if (!net_eq(sock_net(sk), net))
continue;
if (sk->sk_family == st->family) {
cur = sk;
@@ -2055,7 +2055,7 @@ static void *established_get_first(struct seq_file *seq)
spin_lock_bh(lock);
sk_nulls_for_each(sk, node, &tcp_hashinfo.ehash[st->bucket].chain) {
if (sk->sk_family != st->family ||
- !net_access_allowed(sock_net(sk), net)) {
+ !net_eq(sock_net(sk), net)) {
continue;
}
rc = sk;
@@ -2080,8 +2080,7 @@ static void *established_get_next(struct seq_file *seq, void *cur)
sk = sk_nulls_next(sk);
sk_nulls_for_each_from(sk, node) {
- if (sk->sk_family == st->family &&
- net_access_allowed(sock_net(sk), net))
+ if (sk->sk_family == st->family && net_eq(sock_net(sk), net))
return sk;
}
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 2e622f13f4dce..b581c7dc1661c 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2465,7 +2465,7 @@ static struct sock *udp_get_first(struct seq_file *seq, int start)
spin_lock_bh(&hslot->lock);
sk_for_each(sk, &hslot->head) {
- if (!net_access_allowed(sock_net(sk), net))
+ if (!net_eq(sock_net(sk), net))
continue;
if (sk->sk_family == state->family)
goto found;
@@ -2484,7 +2484,7 @@ static struct sock *udp_get_next(struct seq_file *seq, struct sock *sk)
do {
sk = sk_next(sk);
- } while (sk && (!net_access_allowed(sock_net(sk), net) || sk->sk_family != state->family));
+ } while (sk && (!net_eq(sock_net(sk), net) || sk->sk_family != state->family));
if (!sk) {
if (state->bucket <= state->udp_table->mask)
More information about the Devel
mailing list