[lxc-devel] af_unix isolation

Wilhelm Meier wilhelm.meier at fh-kl.de
Fri Nov 6 06:47:48 UTC 2009 


Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
>> Hi Daniel,
>>
>> Daniel Lezcano schrieb:
>>> Wilhelm Meier wrote:
>>>> Hi,
>>>>
>>>> is it possible to disable the isolation of AF_UNIX sockets? At least 
>>>> between a parent and a child network namespace? Or is there any 
>>>> other way that a child namespace can communicate with its parent 
>>>> through an AF_UNIX socket?
>>>>   
>>> Hi Wilheim,
>>>
>>> It is not possible to disable the AF_UNIX socket, there was a 
>>> discussion about making possible to connect to an af_unix socket via 
>>> the filesystem if it was visible but that was considered as 
>>> potentially dangerous.
>>
>> well, I stumbled across that discussion and hoped it turned the other 
>> way round ...
>>
>>> Maybe you can do the following or something similar:
>>>
>>> - connect to the AF_UNIX socket before unsharing the namespace.
>>> - unshare the netns
>>> - create an af_unix socket somewhere (eg. /var/tmp/.pam_netns.1234)
>>> - bind mount /var/tmp/.pam_netns.1234 to /tmp/.X11-unix/X0
>>> - use splice to proxy the traffic between the real /tmp/.X11-unix/X0 
>>> and /var/tmp/.pam_netns.1234
>>
>> ah, yes, good idea.
>>
>> So the architecture of the whole pam-scenario I'm developing would be:
>>
>> 1) pam-module pam_netns.so
>>
>> 2) pam_netns_helper daemon
>>
>> 3) one or more socket_proxy daemons
>>
>> The pam-module starts the pam_netns_helper-daemon. This daemon first 
>> starts a shell-script to setup the veth-pair. The pam-module connects 
>> to all neccessary unix-sockets.
>> After that the pam-module does the unshare and triggers the 
>> pam_helper-daemon to start another shell-script (in the parent 
>> namespace) to move the veth.
>> After that the pam-module starts a third script to make the neccessary 
>> setup in the new child-namespace.
>> After that the pam-modules forks for every unix-socket a socket_proxy 
>> process in the new child-namespace.
>>
>> Looks a bit complicated, no? 
> Yes :\
> 
> I wrote a small kernel patch to connect to an af_unix socket belonging 
> to another netns. This behavior is tunable via a new sysctl 
> /proc/sys/net/unix/share_via_fs.  Do you want to test it with pam_netns ?

Please send me the patch. I will test it.

Thanks.

> Maybe I can send it to netdev@ and hopefully it can be merged upstream ...
> 
>> Actually the pam_netns is working already, the socket_proxy part still 
>> is missing but on the way.
>> After all that a user can setup real private ssh-tunnels unvisible for 
>> other users on the same machine.
> Nice :)
> 
> 
> Thanks
>  -- Daniel

-- 
Wilhelm

More information about the lxc-devel mailing list