[lxc-devel] af_unix isolation

Daniel Lezcano daniel.lezcano at free.fr
Wed Nov 4 22:56:59 UTC 2009 

Wilhelm Meier wrote:
> Hi Daniel,
>
> Daniel Lezcano schrieb:
>> Wilhelm Meier wrote:
>>> Hi,
>>>
>>> is it possible to disable the isolation of AF_UNIX sockets? At least 
>>> between a parent and a child network namespace? Or is there any 
>>> other way that a child namespace can communicate with its parent 
>>> through an AF_UNIX socket?
>>>   
>> Hi Wilheim,
>>
>> It is not possible to disable the AF_UNIX socket, there was a 
>> discussion about making possible to connect to an af_unix socket via 
>> the filesystem if it was visible but that was considered as 
>> potentially dangerous.
>
> well, I stumbled across that discussion and hoped it turned the other 
> way round ...
>
>> Maybe you can do the following or something similar:
>>
>> - connect to the AF_UNIX socket before unsharing the namespace.
>> - unshare the netns
>> - create an af_unix socket somewhere (eg. /var/tmp/.pam_netns.1234)
>> - bind mount /var/tmp/.pam_netns.1234 to /tmp/.X11-unix/X0
>> - use splice to proxy the traffic between the real /tmp/.X11-unix/X0 
>> and /var/tmp/.pam_netns.1234
>
> ah, yes, good idea.
>
> So the architecture of the whole pam-scenario I'm developing would be:
>
> 1) pam-module pam_netns.so
>
> 2) pam_netns_helper daemon
>
> 3) one or more socket_proxy daemons
>
> The pam-module starts the pam_netns_helper-daemon. This daemon first 
> starts a shell-script to setup the veth-pair. The pam-module connects 
> to all neccessary unix-sockets.
> After that the pam-module does the unshare and triggers the 
> pam_helper-daemon to start another shell-script (in the parent 
> namespace) to move the veth.
> After that the pam-module starts a third script to make the neccessary 
> setup in the new child-namespace.
> After that the pam-modules forks for every unix-socket a socket_proxy 
> process in the new child-namespace.
>
> Looks a bit complicated, no? 
Yes :\

I wrote a small kernel patch to connect to an af_unix socket belonging 
to another netns. This behavior is tunable via a new sysctl 
/proc/sys/net/unix/share_via_fs.  Do you want to test it with pam_netns ?
Maybe I can send it to netdev@ and hopefully it can be merged upstream ...

> Actually the pam_netns is working already, the socket_proxy part still 
> is missing but on the way.
> After all that a user can setup real private ssh-tunnels unvisible for 
> other users on the same machine.
Nice :)


Thanks
  -- Daniel

More information about the lxc-devel mailing list