On Fri, Feb 3, 2017 at 3:53 PM, Stephen Hemminger <step...@networkplumber.org> wrote: > > > Begin forwarded message: > > Date: Fri, 03 Feb 2017 21:14:28 +0000 > From: bugzilla-dae...@bugzilla.kernel.org > To: step...@networkplumber.org > Subject: [Bug 193911] New: net_prio.ifpriomap is not aware of the network > namespace, and discloses all network interface > > > https://bugzilla.kernel.org/show_bug.cgi?id=193911 > > Bug ID: 193911 > Summary: net_prio.ifpriomap is not aware of the network > namespace, and discloses all network interface > Product: Networking > Version: 2.5 > Kernel Version: 4.9 > Hardware: All > OS: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: Other > Assignee: step...@networkplumber.org > Reporter: xga...@email.wm.edu > Regression: No > > The pseudo file net_prio.ifpriomap (under /sys/fs/cgroup/net_prio) contains a > map of the priorities assigned to traffic starting from processes in a cgroup > and leaving the system on various interfaces. The data format is in the form > of > [ifname priority]. > > We find that the kernel handler function hooked at net_prio.ifpriomap is not > aware of the network namespace, and thus it discloses all network interfaces > on > the physical machine to the containerized applications. > > To be more specific, the read operation of net_prio.ifpriomap is handled by > the > function read_priomap. Tracing from this function, we can find it invokes > for_each_netdev_rcu and set the first parameter as the address of init_net. It > iterates all network devices of the host regardless of the network namespace. > Thus, from the view of a container, it can read the names of all network > devices of the host.
I think that is probably because cgroup files don't provide a net pointer for the context, if so we probably need some API similar to class_create_file_ns().
