[lxc-devel] af_unix isolation
Daniel Lezcano
daniel.lezcano at free.fr
Tue Nov 3 09:51:51 UTC 2009
Wilhelm Meier wrote:
> Hi,
>
> is it possible to disable the isolation of AF_UNIX sockets? At least
> between a parent and a child network namespace? Or is there any other
> way that a child namespace can communicate with its parent through an
> AF_UNIX socket?
>
Hi Wilheim,
It is not possible to disable the AF_UNIX socket, there was a discussion
about making possible to connect to an af_unix socket via the filesystem
if it was visible but that was considered as potentially dangerous.
Maybe you can do the following or something similar:
- connect to the AF_UNIX socket before unsharing the namespace.
- unshare the netns
- create an af_unix socket somewhere (eg. /var/tmp/.pam_netns.1234)
- bind mount /var/tmp/.pam_netns.1234 to /tmp/.X11-unix/X0
- use splice to proxy the traffic between the real /tmp/.X11-unix/X0
and /var/tmp/.pam_netns.1234
The application will connect to /tmp/.X11-unix/X0 which is in fact
/var/tmp/.pam_netns.1234 and will use this socket which is proxied.
Otherwise, do you think the kde can use a file descriptor instead of
/tmp/.X11-unix/X0 af_unix path ? so it would be possible to connect to
/tmp/.X11-unix/X0 before unsharing the network and pass this fd kdm, no ?
More information about the lxc-devel
mailing list