From: Tejun Heo <tj@kernel.org>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>,
Linux Kernel Network Developers <netdev@vger.kernel.org>,
xgao01@email.wm.edu, "Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: Fw: [Bug 193911] New: net_prio.ifpriomap is not aware of the network namespace, and discloses all network interface
Date: Mon, 6 Feb 2017 15:47:28 -0500 [thread overview]
Message-ID: <20170206204728.GA23737@htj.duckdns.org> (raw)
In-Reply-To: <CAM_iQpVB_OvJy4Yz97MeOh9hNwm-mTG9aM1FWBpaaOmjroWvVw@mail.gmail.com>
Hello,
On Sun, Feb 05, 2017 at 11:05:36PM -0800, Cong Wang wrote:
> > To be more specific, the read operation of net_prio.ifpriomap is handled by the
> > function read_priomap. Tracing from this function, we can find it invokes
> > for_each_netdev_rcu and set the first parameter as the address of init_net. It
> > iterates all network devices of the host regardless of the network namespace.
> > Thus, from the view of a container, it can read the names of all network
> > devices of the host.
>
> I think that is probably because cgroup files don't provide a net pointer
> for the context, if so we probably need some API similar to
> class_create_file_ns().
Yeah, the whole thing never considered netns or delegation. Maybe the
read function itself should probably filter on the namespace of the
reader? I'm not completely sure whether trying to fix it won't cause
some of existing use cases to break. Eric, what do you think?
Thanks.
--
tejun
next prev parent reply other threads:[~2017-02-06 20:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-03 23:53 Fw: [Bug 193911] New: net_prio.ifpriomap is not aware of the network namespace, and discloses all network interface Stephen Hemminger
2017-02-06 7:05 ` Cong Wang
2017-02-06 20:47 ` Tejun Heo [this message]
2017-02-12 19:04 ` Eric W. Biederman
2017-02-21 20:41 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170206204728.GA23737@htj.duckdns.org \
--to=tj@kernel.org \
--cc=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
--cc=xgao01@email.wm.edu \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).