Re: [PATCH] Make /proc/net a symlink on /proc/self/net (v2)

[Pavel Emelyanov <xemul@openvz.org>]

[snip]

>>> Does this break SELinux labeling of /proc/net inodes and thus its access
>>> controls on them?
>> It should not, since the proc_dir_etries are still organized in
>> a required hierarchy.
> 
> Unfortunately, it does break selinux labeling of /proc/net inodes.
> Easily seen by running ls -ZR /proc/net before and after the patch is
> applied and comparing the results.  
> 
> Also, as a separate issue, a "find /proc/self/net ..." will show that
> the hard link count is wrong for it.

Oops... I've checked this thing explicitly before sending, but it looks
like I used too old find version. I.e. 4.1.20 worked OK, but 4.2.23
reported the nlink discrepancy.

Anyway, this is fixed now (see below). I override the getattr method for
/proc/net directory and update one from the net->proc_net entry, which 
is calculated correctly.

> Currently the inodes get labeled by selinux_proc_get_sid() by walking up
> the proc_dir_entry tree to generate a name and prefix matching that name
> in policy.  Before the patch, we'd get names like "//net/tcp", i.e.
> relative to the root of proc (the extra leading slash is due to the
> earlier proc net rewrite which also broke selinux until we adjusted it
> to ignore it).  After the patch, we just get "//tcp", which is ambiguous
> since we would also get that for a /proc/tcp inode if one existed.

OK, got it. Is it good if we used to get the //net/tcp, but will /net/tcp
(without the double slash)? The patch below does exactly this. It initializes
the name for the net->proc_net entry and makes its parent be proc_root.

Can you Ack this patch, so that I can merge it with the original one and 
re-post the combined v3?

> Not trying to obstruct your proc net improvements, but just want to make
> sure that selinux doesn't get broken in the process.

diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
index 18d413c..4caa5f7 100644
--- a/fs/proc/proc_net.c
+++ b/fs/proc/proc_net.c
@@ -96,8 +96,27 @@ static struct dentry *proc_tgid_net_lookup(struct inode *dir,
 	return de;
 }
 
+static int proc_tgid_net_getattr(struct vfsmount *mnt, struct dentry *dentry,
+		struct kstat *stat)
+{
+	struct inode *inode = dentry->d_inode;
+	struct net *net;
+
+	net = get_proc_task_net(inode);
+
+	generic_fillattr(inode, stat);
+
+	if (net != NULL) {
+		stat->nlink = net->proc_net->nlink;
+		put_net(net);
+	}
+
+	return 0;
+}
+
 const struct inode_operations proc_net_inode_operations = {
 	.lookup		= proc_tgid_net_lookup,
+	.getattr	= proc_tgid_net_getattr,
 };
 
 static int proc_tgid_net_readdir(struct file *filp, void *dirent,
@@ -162,6 +181,10 @@ static __net_init int proc_net_ns_init(struct net *net)
 		goto out;
 
 	netd->data = net;
+	netd->nlink = 2;
+	netd->name = "net";
+	netd->namelen = 3;
+	netd->parent = &proc_root;
 
 	err = -EEXIST;
 	net_statd = proc_net_mkdir(net, "stat", netd);