[RHEL8,COMMIT] Revert "net: Show all connections in init namespace"

Submitted by Konstantin Khorenko on May 7, 2020, 6:54 p.m.

Details

Message ID 202005071854.047IsPEd025696@finist_co8.work.ct
State New
Series "ve/net: Don't show all connections in init netns"
Headers show

Commit Message

Konstantin Khorenko May 7, 2020, 6:54 p.m.
The commit is pushed to "branch-rh8-4.18.0-80.1.2.vz8.3.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-80.1.2.vz8.3.8
------>
commit 765e4ccb771051ddd47d0109d232444c108f48a2
Author: Konstantin Khorenko <khorenko@virtuozzo.com>
Date:   Thu May 7 21:52:08 2020 +0300

    Revert "net: Show all connections in init namespace"
    
    This reverts commit 2389a3a424c383f62f1afb4078ddf705d0348a49.
    
        Long ago in https://bugs.openvz.org/browse/OVZ-5192
        we've allowed host to see Container's connections,
        which is against usual net namespaces rules.
    
        In vz7 de facto host never was allowed to see Contaners' connections:
        * first - due to a bug https://bugs.openvz.org/browse/OVZ-6600
        * later due to a fix
          b6c0f8cf6332f ("ve/net: Exclude foreign CT sockets from
          /proc/net/tcp{,6}")
    
        As we consider the current behavior correct (a namespace should not leak
        info to other namespaces), let's drop patches which intended to provide
        this functionality.
    
        If one wants to check all connections from host, he can use
        "ip -all netns exec netstat -n" to get info about Container's root net
        namespaces.
        The latter command shows all netns which were create via "ip" utility.
    
        If he wants to be more precise and want to check really ALL net
        namespaces, it's enough to iterate over all net namespaces via
        "nsenter -t $PROC_PID -n netstat -n".
    
        https://bugs.openvz.org/browse/OVZ-7202
    
        Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
        Reviewed-by: Kirill Tkhai <ktkhai@virtuozzo.com>
    
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 include/net/net_namespace.h | 10 ----------
 net/ipv4/raw.c              |  4 ++--
 net/ipv4/udp.c              |  4 ++--
 3 files changed, 4 insertions(+), 14 deletions(-)

Patch hide | download patch | download mbox

diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index a19dc46d1932..9f0a3eaac6c0 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -246,11 +246,6 @@  static inline int check_net(const struct net *net)
 
 void net_drop_ns(void *);
 
-/* Returns whether curr can mess with net's objects */
-static inline int net_access_allowed(const struct net *net, const struct net *curr)
-{
-	return net_eq(curr, &init_net) || net_eq(curr, net);
-}
 #else
 
 static inline struct net *get_net(struct net *net)
@@ -279,11 +274,6 @@  static inline int check_net(const struct net *net)
 }
 
 #define net_drop_ns NULL
-
-static inline int net_access_allowed(const struct net *net, const struct net *curr)
-{
-	return 1;
-}
 #endif
 
 
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index b8744bae2850..932b013e9ff6 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -1011,7 +1011,7 @@  static struct sock *raw_get_first(struct seq_file *seq)
 	for (state->bucket = 0; state->bucket < RAW_HTABLE_SIZE;
 			++state->bucket) {
 		sk_for_each(sk, &h->ht[state->bucket])
-			if (net_access_allowed(sock_net(sk), seq_file_net(seq)))
+			if (sock_net(sk) == seq_file_net(seq))
 				goto found;
 	}
 	sk = NULL;
@@ -1028,7 +1028,7 @@  static struct sock *raw_get_next(struct seq_file *seq, struct sock *sk)
 		sk = sk_next(sk);
 try_again:
 		;
-	} while (sk && !net_access_allowed(sock_net(sk), seq_file_net(seq)));
+	} while (sk && sock_net(sk) != seq_file_net(seq));
 
 	if (!sk && ++state->bucket < RAW_HTABLE_SIZE) {
 		sk = sk_head(&h->ht[state->bucket]);
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index b91e33d25ca8..d4614519ea37 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2705,7 +2705,7 @@  static struct sock *udp_get_first(struct seq_file *seq, int start)
 
 		spin_lock_bh(&hslot->lock);
 		sk_for_each(sk, &hslot->head) {
-			if (!net_access_allowed(sock_net(sk), net))
+			if (!net_eq(sock_net(sk), net))
 				continue;
 			if (sk->sk_family == afinfo->family)
 				goto found;
@@ -2725,7 +2725,7 @@  static struct sock *udp_get_next(struct seq_file *seq, struct sock *sk)
 
 	do {
 		sk = sk_next(sk);
-	} while (sk && (!net_access_allowed(sock_net(sk), net) || sk->sk_family != afinfo->family));
+	} while (sk && (!net_eq(sock_net(sk), net) || sk->sk_family != afinfo->family));
 
 	if (!sk) {
 		if (state->bucket <= afinfo->udp_table->mask)