[lxc-devel] af_unix isolation
Wilhelm Meier
wilhelm.meier at fh-kl.de
Tue Nov 3 18:46:03 UTC 2009
Hi Daniel,
Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
>> Hi,
>>
>> is it possible to disable the isolation of AF_UNIX sockets? At least
>> between a parent and a child network namespace? Or is there any other
>> way that a child namespace can communicate with its parent through an
>> AF_UNIX socket?
>>
> Hi Wilheim,
>
> It is not possible to disable the AF_UNIX socket, there was a discussion
> about making possible to connect to an af_unix socket via the filesystem
> if it was visible but that was considered as potentially dangerous.
well, I stumbled across that discussion and hoped it turned the other
way round ...
> Maybe you can do the following or something similar:
>
> - connect to the AF_UNIX socket before unsharing the namespace.
> - unshare the netns
> - create an af_unix socket somewhere (eg. /var/tmp/.pam_netns.1234)
> - bind mount /var/tmp/.pam_netns.1234 to /tmp/.X11-unix/X0
> - use splice to proxy the traffic between the real /tmp/.X11-unix/X0 and
> /var/tmp/.pam_netns.1234
ah, yes, good idea.
So the architecture of the whole pam-scenario I'm developing would be:
1) pam-module pam_netns.so
2) pam_netns_helper daemon
3) one or more socket_proxy daemons
The pam-module starts the pam_netns_helper-daemon. This daemon first
starts a shell-script to setup the veth-pair. The pam-module connects to
all neccessary unix-sockets.
After that the pam-module does the unshare and triggers the
pam_helper-daemon to start another shell-script (in the parent
namespace) to move the veth.
After that the pam-module starts a third script to make the neccessary
setup in the new child-namespace.
After that the pam-modules forks for every unix-socket a socket_proxy
process in the new child-namespace.
Looks a bit complicated, no? Actually the pam_netns is working already,
the socket_proxy part still is missing but on the way.
After all that a user can setup real private ssh-tunnels unvisible for
other users on the same machine.
> The application will connect to /tmp/.X11-unix/X0 which is in fact
> /var/tmp/.pam_netns.1234 and will use this socket which is proxied.
>
> Otherwise, do you think the kde can use a file descriptor instead of
> /tmp/.X11-unix/X0 af_unix path ? so it would be possible to connect to
> /tmp/.X11-unix/X0 before unsharing the network and pass this fd kdm, no ?
A quick look into the docs of the usual Xservers was disappointing in
this respect: most Xservers listen only on tcp and/or unix-sockets.
So the idea is to modify the DISPLAY variable to point to the parent-ns
veth-dev-address and make the Xserver listen on that socket too.
But there are several other services which use unix-sockets, among them
/dev/log for syslog. Therefore I think the proxy-method above is more
feasable.
--
Wilhelm
More information about the lxc-devel
mailing list