[NET]: Make /proc/net a symlink on /proc/self/net (v3)

Current /proc/net is done with so called "shadows", but current implementation is broken and has little chances to get fixed. The problem is that dentries subtree of /proc/net directory has fancy revalidation rules to make processes living in different net namespaces see different entries in /proc/net subtree, but currently, tasks see in the /proc/net subdir the contents of any other namespace, depending on who opened the file first. The proposed fix is to turn /proc/net into a symlink, which points to /proc/self/net, which in turn shows what previously was in /proc/net - the network-related info, from the net namespace the appropriate task lives in. # ls -l /proc/net lrwxrwxrwx 1 root root 8 Mar 5 15:17 /proc/net -> self/net In other words - this behaves like /proc/mounts, but unlike "mounts", "net" is not a file, but a directory. Changes from v2: * Fixed discrepancy of /proc/net nlink count and selinux labeling screwup pointed out by Stephen. To get the correct nlink count the ->getattr callback for /proc/net is overridden to read one from the net->proc_net entry. To make selinux still work the net->proc_net entry is initialized properly, i.e. with the "net" name and the proc_net parent. Selinux fixes are Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Changes from v1: * Fixed a task_struct leak in get_proc_task_net, pointed out by Paul. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Pavel Emelyanov <xemul@openvz.org> 2008-03-07 14:08:40 -0500
committer: David S. Miller <davem@davemloft.net> 2008-03-07 14:08:40 -0500
commit: e9720acd728a46cb40daa52c99a979f7c4ff195c (patch)
tree: 01380f601384cf93f30dedb64afe80359fecb807 /fs/proc/proc_net.c
parent: 1ff82fe0024e8070c38346b8abc1ff09612dea4c (diff)
1 files changed, 89 insertions, 28 deletions
diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
index 14e9b5aaf863..4caa5f774fb7 100644
--- a/fs/proc/proc_net.c
+++ b/fs/proc/proc_net.c
@@ -63,6 +63,82 @@ int seq_release_net(struct inode *ino, struct file *f)
 }
 EXPORT_SYMBOL_GPL(seq_release_net);
+static struct net *get_proc_task_net(struct inode *dir)
+{
+        struct task_struct *task;
+        struct nsproxy *ns;
+        struct net *net = NULL;
+        rcu_read_lock();
+        task = pid_task(proc_pid(dir), PIDTYPE_PID);
+        if (task != NULL) {
+                ns = task_nsproxy(task);
+                if (ns != NULL)
+                        net = get_net(ns->net_ns);
+        }
+        rcu_read_unlock();
+        return net;
+}
+static struct dentry *proc_tgid_net_lookup(struct inode *dir,
+                struct dentry *dentry, struct nameidata *nd)
+{
+        struct dentry *de;
+        struct net *net;
+        de = ERR_PTR(-ENOENT);
+        net = get_proc_task_net(dir);
+        if (net != NULL) {
+                de = proc_lookup_de(net->proc_net, dir, dentry);
+                put_net(net);
+        }
+        return de;
+}
+static int proc_tgid_net_getattr(struct vfsmount *mnt, struct dentry *dentry,
+                struct kstat *stat)
+{
+        struct inode *inode = dentry->d_inode;
+        struct net *net;
+        net = get_proc_task_net(inode);
+        generic_fillattr(inode, stat);
+        if (net != NULL) {
+                stat->nlink = net->proc_net->nlink;
+                put_net(net);
+        }
+        return 0;
+}
+const struct inode_operations proc_net_inode_operations = {
+        .lookup         = proc_tgid_net_lookup,
+        .getattr        = proc_tgid_net_getattr,
+};
+static int proc_tgid_net_readdir(struct file *filp, void *dirent,
+                filldir_t filldir)
+{
+        int ret;
+        struct net *net;
+        ret = -EINVAL;
+        net = get_proc_task_net(filp->f_path.dentry->d_inode);
+        if (net != NULL) {
+                ret = proc_readdir_de(net->proc_net, filp, dirent, filldir);
+                put_net(net);
+        }
+        return ret;
+}
+const struct file_operations proc_net_operations = {
+        .read           = generic_read_dir,
+        .readdir        = proc_tgid_net_readdir,
+};
 struct proc_dir_entry *proc_net_fops_create(struct net *net,
        const char *name, mode_t mode, const struct file_operations *fops)
@@ -83,14 +159,6 @@ struct net *get_proc_net(const struct inode *inode)
 }
 EXPORT_SYMBOL_GPL(get_proc_net);
-static struct proc_dir_entry *shadow_pde;
-static struct proc_dir_entry *proc_net_shadow(struct task_struct *task,
-                                                struct proc_dir_entry *de)
-{
-        return task->nsproxy->net_ns->proc_net;
-}
 struct proc_dir_entry *proc_net_mkdir(struct net *net, const char *name,
                struct proc_dir_entry *parent)
 {
@@ -104,45 +172,39 @@ EXPORT_SYMBOL_GPL(proc_net_mkdir);
 static __net_init int proc_net_ns_init(struct net *net)
 {
-        struct proc_dir_entry *root, *netd, *net_statd;
+        struct proc_dir_entry *netd, *net_statd;
        int err;
        err = -ENOMEM;
-        root = kzalloc(sizeof(*root), GFP_KERNEL);
+        netd = kzalloc(sizeof(*netd), GFP_KERNEL);
-        if (!root)
+        if (!netd)
                goto out;
-        err = -EEXIST;
+        netd->data = net;
-        netd = proc_net_mkdir(net, "net", root);
+        netd->nlink = 2;
-        if (!netd)
+        netd->name = "net";
-                goto free_root;
+        netd->namelen = 3;
+        netd->parent = &proc_root;
        err = -EEXIST;
        net_statd = proc_net_mkdir(net, "stat", netd);
        if (!net_statd)
                goto free_net;
-        root->data = net;
-        net->proc_net_root = root;
        net->proc_net = netd;
        net->proc_net_stat = net_statd;
-        err = 0;
+        return 0;
+free_net:
+        kfree(netd);
 out:
        return err;
-free_net:
-        remove_proc_entry("net", root);
-free_root:
-        kfree(root);
-        goto out;
 }
 static __net_exit void proc_net_ns_exit(struct net *net)
 {
        remove_proc_entry("stat", net->proc_net);
-        remove_proc_entry("net", net->proc_net_root);
+        kfree(net->proc_net);
-        kfree(net->proc_net_root);
 }
 static struct pernet_operations __net_initdata proc_net_ns_ops = {
@@ -152,8 +214,7 @@ static struct pernet_operations __net_initdata proc_net_ns_ops = {
 int __init proc_net_init(void)
 {
-        shadow_pde = proc_mkdir("net", NULL);
+        proc_symlink("net", NULL, "self/net");
-        shadow_pde->shadow_proc = proc_net_shadow;
        return register_pernet_subsys(&proc_net_ns_ops);
 }
author	Pavel Emelyanov <xemul@openvz.org>	2008-03-07 14:08:40 -0500
committer	David S. Miller <davem@davemloft.net>	2008-03-07 14:08:40 -0500
commit	e9720acd728a46cb40daa52c99a979f7c4ff195c (patch)
tree	01380f601384cf93f30dedb64afe80359fecb807 /fs/proc/proc_net.c
parent	1ff82fe0024e8070c38346b8abc1ff09612dea4c (diff)

diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c index 14e9b5aaf863..4caa5f774fb7 100644 --- a/fs/proc/proc_net.c +++ b/fs/proc/proc_net.c
@@ -63,6 +63,82 @@ int seq_release_net(struct inode ino, struct file f)
63	}	63	}
64	EXPORT_SYMBOL_GPL(seq_release_net);	64	EXPORT_SYMBOL_GPL(seq_release_net);
65		65
		66	static struct net get_proc_task_net(struct inode dir)
		67	{
		68	struct task_struct *task;
		69	struct nsproxy *ns;
		70	struct net *net = NULL;
		71
		72	rcu_read_lock();
		73	task = pid_task(proc_pid(dir), PIDTYPE_PID);
		74	if (task != NULL) {
		75	ns = task_nsproxy(task);
		76	if (ns != NULL)
		77	net = get_net(ns->net_ns);
		78	}
		79	rcu_read_unlock();
		80
		81	return net;
		82	}
		83
		84	static struct dentry proc_tgid_net_lookup(struct inode dir,
		85	struct dentry dentry, struct nameidata nd)
		86	{
		87	struct dentry *de;
		88	struct net *net;
		89
		90	de = ERR_PTR(-ENOENT);
		91	net = get_proc_task_net(dir);
		92	if (net != NULL) {
		93	de = proc_lookup_de(net->proc_net, dir, dentry);
		94	put_net(net);
		95	}
		96	return de;
		97	}
		98
		99	static int proc_tgid_net_getattr(struct vfsmount mnt, struct dentry dentry,
		100	struct kstat *stat)
		101	{
		102	struct inode *inode = dentry->d_inode;
		103	struct net *net;
		104
		105	net = get_proc_task_net(inode);
		106
		107	generic_fillattr(inode, stat);
		108
		109	if (net != NULL) {
		110	stat->nlink = net->proc_net->nlink;
		111	put_net(net);
		112	}
		113
		114	return 0;
		115	}
		116
		117	const struct inode_operations proc_net_inode_operations = {
		118	.lookup = proc_tgid_net_lookup,
		119	.getattr = proc_tgid_net_getattr,
		120	};
		121
		122	static int proc_tgid_net_readdir(struct file filp, void dirent,
		123	filldir_t filldir)
		124	{
		125	int ret;
		126	struct net *net;
		127
		128	ret = -EINVAL;
		129	net = get_proc_task_net(filp->f_path.dentry->d_inode);
		130	if (net != NULL) {
		131	ret = proc_readdir_de(net->proc_net, filp, dirent, filldir);
		132	put_net(net);
		133	}
		134	return ret;
		135	}
		136
		137	const struct file_operations proc_net_operations = {
		138	.read = generic_read_dir,
		139	.readdir = proc_tgid_net_readdir,
		140	};
		141
66		142
67	struct proc_dir_entry proc_net_fops_create(struct net net,	143	struct proc_dir_entry proc_net_fops_create(struct net net,
68	const char name, mode_t mode, const struct file_operations fops)	144	const char name, mode_t mode, const struct file_operations fops)
@@ -83,14 +159,6 @@ struct net get_proc_net(const struct inode inode)
83	}	159	}
84	EXPORT_SYMBOL_GPL(get_proc_net);	160	EXPORT_SYMBOL_GPL(get_proc_net);
85		161
86	static struct proc_dir_entry *shadow_pde;
87
88	static struct proc_dir_entry proc_net_shadow(struct task_struct task,
89	struct proc_dir_entry *de)
90	{
91	return task->nsproxy->net_ns->proc_net;
92	}
93
94	struct proc_dir_entry proc_net_mkdir(struct net net, const char *name,	162	struct proc_dir_entry proc_net_mkdir(struct net net, const char *name,
95	struct proc_dir_entry *parent)	163	struct proc_dir_entry *parent)
96	{	164	{
@@ -104,45 +172,39 @@ EXPORT_SYMBOL_GPL(proc_net_mkdir);
104		172
105	static __net_init int proc_net_ns_init(struct net *net)	173	static __net_init int proc_net_ns_init(struct net *net)
106	{	174	{
107	struct proc_dir_entry root, netd, *net_statd;	175	struct proc_dir_entry netd, net_statd;
108	int err;	176	int err;
109		177
110	err = -ENOMEM;	178	err = -ENOMEM;
111	root = kzalloc(sizeof(*root), GFP_KERNEL);	179	netd = kzalloc(sizeof(*netd), GFP_KERNEL);
112	if (!root)	180	if (!netd)
113	goto out;	181	goto out;
114		182
115	err = -EEXIST;	183	netd->data = net;
116	netd = proc_net_mkdir(net, "net", root);	184	netd->nlink = 2;
117	if (!netd)	185	netd->name = "net";
118	goto free_root;	186	netd->namelen = 3;
		187	netd->parent = &proc_root;
119		188
120	err = -EEXIST;	189	err = -EEXIST;
121	net_statd = proc_net_mkdir(net, "stat", netd);	190	net_statd = proc_net_mkdir(net, "stat", netd);
122	if (!net_statd)	191	if (!net_statd)
123	goto free_net;	192	goto free_net;
124		193
125	root->data = net;
126
127	net->proc_net_root = root;
128	net->proc_net = netd;	194	net->proc_net = netd;
129	net->proc_net_stat = net_statd;	195	net->proc_net_stat = net_statd;
130	err = 0;	196	return 0;
131		197
		198	free_net:
		199	kfree(netd);
132	out:	200	out:
133	return err;	201	return err;
134	free_net:
135	remove_proc_entry("net", root);
136	free_root:
137	kfree(root);
138	goto out;
139	}	202	}
140		203
141	static __net_exit void proc_net_ns_exit(struct net *net)	204	static __net_exit void proc_net_ns_exit(struct net *net)
142	{	205	{
143	remove_proc_entry("stat", net->proc_net);	206	remove_proc_entry("stat", net->proc_net);
144	remove_proc_entry("net", net->proc_net_root);	207	kfree(net->proc_net);
145	kfree(net->proc_net_root);
146	}	208	}
147		209
148	static struct pernet_operations __net_initdata proc_net_ns_ops = {	210	static struct pernet_operations __net_initdata proc_net_ns_ops = {
@@ -152,8 +214,7 @@ static struct pernet_operations __net_initdata proc_net_ns_ops = {
152		214
153	int __init proc_net_init(void)	215	int __init proc_net_init(void)
154	{	216	{
155	shadow_pde = proc_mkdir("net", NULL);	217	proc_symlink("net", NULL, "self/net");
156	shadow_pde->shadow_proc = proc_net_shadow;
157		218
158	return register_pernet_subsys(&proc_net_ns_ops);	219	return register_pernet_subsys(&proc_net_ns_ops);
159	}	220	}