On Mon, Jun 06, 2011 at 00:10 +0400, Solar Designer wrote:
> On Sun, Jun 05, 2011 at 11:47:46PM +0400, Vasiliy Kulikov wrote:
> > On Sun, Jun 05, 2011 at 23:26 +0400, Solar Designer wrote:
> > > On Sun, Jun 05, 2011 at 10:24:31PM +0400, Vasiliy Kulikov wrote:
> > > > TODO/thoughs:
> > > >   - /proc/pid/net/ currently doesn't show ANYTHING, even "." and "..".
> > > >     This is confusing :)
> > > 
> > > Ouch.  Can't you simply restrict its perms such that this directory
> > > can't be listed unless you have privs?
...
> > Another solution - create a fake net namespace and process this
> > namespace if not enough permissions :)  It also removes weird netstat
> > errors like "seems like networking was disabled for this kernel".

A fake net namespace works perfect:

$ LANG=C netstat -nlp4
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address State       PID/Program name

No warning from netstat.  I remember brctl didn't properly handle
missing sysfs files, so fake files make sense.


Will repost the patch after I'm sure that changing hidepid works well
with inode caching (I see a bug in my current implementation).


Thanks,

-- 
Vasiliy