[lxc-devel] af_unix isolation

Wilhelm Meier wilhelm.meier at fh-kl.de
Tue Nov 3 18:46:03 UTC 2009 

Hi Daniel,

Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
>> Hi,
>>
>> is it possible to disable the isolation of AF_UNIX sockets? At least 
>> between a parent and a child network namespace? Or is there any other 
>> way that a child namespace can communicate with its parent through an 
>> AF_UNIX socket?
>>   
> Hi Wilheim,
> 
> It is not possible to disable the AF_UNIX socket, there was a discussion 
> about making possible to connect to an af_unix socket via the filesystem 
> if it was visible but that was considered as potentially dangerous.

well, I stumbled across that discussion and hoped it turned the other 
way round ...

> Maybe you can do the following or something similar:
> 
> - connect to the AF_UNIX socket before unsharing the namespace.
> - unshare the netns
> - create an af_unix socket somewhere (eg. /var/tmp/.pam_netns.1234)
> - bind mount /var/tmp/.pam_netns.1234 to /tmp/.X11-unix/X0
> - use splice to proxy the traffic between the real /tmp/.X11-unix/X0 and 
> /var/tmp/.pam_netns.1234

ah, yes, good idea.

So the architecture of the whole pam-scenario I'm developing would be:

1) pam-module pam_netns.so

2) pam_netns_helper daemon

3) one or more socket_proxy daemons

The pam-module starts the pam_netns_helper-daemon. This daemon first 
starts a shell-script to setup the veth-pair. The pam-module connects to 
all neccessary unix-sockets.
After that the pam-module does the unshare and triggers the 
pam_helper-daemon to start another shell-script (in the parent 
namespace) to move the veth.
After that the pam-module starts a third script to make the neccessary 
setup in the new child-namespace.
After that the pam-modules forks for every unix-socket a socket_proxy 
process in the new child-namespace.

Looks a bit complicated, no? Actually the pam_netns is working already, 
the socket_proxy part still is missing but on the way.
After all that a user can setup real private ssh-tunnels unvisible for 
other users on the same machine.

> The application will connect to /tmp/.X11-unix/X0 which is in fact 
> /var/tmp/.pam_netns.1234 and will use this socket which is proxied.
> 
> Otherwise, do you think the kde can use a file descriptor instead of 
> /tmp/.X11-unix/X0 af_unix path ? so it would be possible to connect to 
> /tmp/.X11-unix/X0 before unsharing the network and pass this fd kdm, no ?

A quick look into the docs of the usual Xservers was disappointing in 
this respect: most Xservers listen only on tcp and/or unix-sockets.

So the idea is to modify the DISPLAY variable to point to the parent-ns 
veth-dev-address and make the Xserver listen on that socket too.

But there are several other services which use unix-sockets, among them 
/dev/log for syslog. Therefore I think the proxy-method above is more 
feasable.

-- 
Wilhelm

More information about the lxc-devel mailing list