From: Stephen Hemminger <stephen@networkplumber.org>
To: Tejun Heo <tj@kernel.org>, "ric W. Biederman" <ebiederm@xmission.com>
Cc: netdev@vger.kernel.org
Subject: Fw: [Bug 193911] New: net_prio.ifpriomap is not aware of the network namespace, and discloses all network interface
Date: Fri, 3 Feb 2017 15:53:30 -0800 [thread overview]
Message-ID: <20170203155330.06edece4@xeon-e3> (raw)
Begin forwarded message:
Date: Fri, 03 Feb 2017 21:14:28 +0000
From: bugzilla-daemon@bugzilla.kernel.org
To: stephen@networkplumber.org
Subject: [Bug 193911] New: net_prio.ifpriomap is not aware of the network namespace, and discloses all network interface
https://bugzilla.kernel.org/show_bug.cgi?id=193911
Bug ID: 193911
Summary: net_prio.ifpriomap is not aware of the network
namespace, and discloses all network interface
Product: Networking
Version: 2.5
Kernel Version: 4.9
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: Other
Assignee: stephen@networkplumber.org
Reporter: xgao01@email.wm.edu
Regression: No
The pseudo file net_prio.ifpriomap (under /sys/fs/cgroup/net_prio) contains a
map of the priorities assigned to traffic starting from processes in a cgroup
and leaving the system on various interfaces. The data format is in the form of
[ifname priority].
We find that the kernel handler function hooked at net_prio.ifpriomap is not
aware of the network namespace, and thus it discloses all network interfaces on
the physical machine to the containerized applications.
To be more specific, the read operation of net_prio.ifpriomap is handled by the
function read_priomap. Tracing from this function, we can find it invokes
for_each_netdev_rcu and set the first parameter as the address of init_net. It
iterates all network devices of the host regardless of the network namespace.
Thus, from the view of a container, it can read the names of all network
devices of the host.
Here is an example. I checked it on Linux kernel 4.4 with Docker version
1.12.1. I do not have the latest kernel at hand. But there is no code change
between 4.4 and 4.9 for this function. It should be reproducible in the latest
kernel.
I initiated a Docker container and checked the net_prio.ifpriomap inside the
container. It displayed all network interfaces information on the host.
Container:
root@25e25d553c3b:/# cat /sys/fs/cgroup/net_prio/net_prio.ifpriomap
lo 0
eth0 0
eth1 0
xenbr0 0
lxdbr0 0
virbr0 0
virbr0-nic 0
docker0 0
vnet0 0
vnet1 0
veth132de4a 0
Host:
XXXX@XXXX:~$ cat /sys/fs/cgroup/net_prio/net_prio.ifpriomap
lo 0
eth0 0
eth1 0
xenbr0 0
lxdbr0 0
virbr0 0
virbr0-nic 0
docker0 0
vnet0 0
vnet1 0
veth132de4a 0
From the information displayed above, this file exposes the same network
interface information in a container and on a host, which we considered to be a
leakage for the network namespace.
--
You are receiving this mail because:
You are the assignee for the bug.
next reply other threads:[~2017-02-03 23:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-03 23:53 Stephen Hemminger [this message]
2017-02-06 7:05 ` Fw: [Bug 193911] New: net_prio.ifpriomap is not aware of the network namespace, and discloses all network interface Cong Wang
2017-02-06 20:47 ` Tejun Heo
2017-02-12 19:04 ` Eric W. Biederman
2017-02-21 20:41 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170203155330.06edece4@xeon-e3 \
--to=stephen@networkplumber.org \
--cc=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).