[lxc-devel] af_unix isolation
Wilhelm Meier
wilhelm.meier at fh-kl.de
Fri Nov 6 11:56:19 UTC 2009
Hi Daniel,
Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
>> Hi,
>>
>> is it possible to disable the isolation of AF_UNIX sockets? At least
>> between a parent and a child network namespace? Or is there any other
>> way that a child namespace can communicate with its parent through an
>> AF_UNIX socket?
>>
> Hi Wilheim,
>
> It is not possible to disable the AF_UNIX socket, there was a discussion
> about making possible to connect to an af_unix socket via the filesystem
> if it was visible but that was considered as potentially dangerous.
>
> Maybe you can do the following or something similar:
>
> - connect to the AF_UNIX socket before unsharing the namespace.
> - unshare the netns
> - create an af_unix socket somewhere (eg. /var/tmp/.pam_netns.1234)
> - bind mount /var/tmp/.pam_netns.1234 to /tmp/.X11-unix/X0
> - use splice to proxy the traffic between the real /tmp/.X11-unix/X0 and
> /var/tmp/.pam_netns.1234
I tried this setup for /dev/log:
1) create a PF_UNIX/SOCK_DGRAM and connect it to /dev/log
2) unshare(CLONE_NEWNET)
3) start proxy from /dev/log.1234 to /dev/log using fd from 1)
4) bind-mount /dev/log.1234 on /dev/log
Then I get a loop: sending messages to /dev/log, the proxy sends them to
the connected socket from 1) which results in getting the messages again
and again.
This also happens if 2) is unshare(CLONE_NEWNET | CLONE_NEWNS).
Any ideas?
> The application will connect to /tmp/.X11-unix/X0 which is in fact
> /var/tmp/.pam_netns.1234 and will use this socket which is proxied.
>
> Otherwise, do you think the kde can use a file descriptor instead of
> /tmp/.X11-unix/X0 af_unix path ? so it would be possible to connect to
> /tmp/.X11-unix/X0 before unsharing the network and pass this fd kdm, no ?
--
Wilhelm
More information about the lxc-devel
mailing list