[lxc-devel] af_unix isolation
Daniel Lezcano
daniel.lezcano at free.fr
Fri Nov 6 17:53:41 UTC 2009
Wilhelm Meier wrote:
> Hi Daniel,
>
> Daniel Lezcano schrieb:
>> Wilhelm Meier wrote:
>>> Hi,
>>>
>>> is it possible to disable the isolation of AF_UNIX sockets? At least
>>> between a parent and a child network namespace? Or is there any
>>> other way that a child namespace can communicate with its parent
>>> through an AF_UNIX socket?
>>>
>> Hi Wilheim,
>>
>> It is not possible to disable the AF_UNIX socket, there was a
>> discussion about making possible to connect to an af_unix socket via
>> the filesystem if it was visible but that was considered as
>> potentially dangerous.
>>
>> Maybe you can do the following or something similar:
>>
>> - connect to the AF_UNIX socket before unsharing the namespace.
>> - unshare the netns
>> - create an af_unix socket somewhere (eg. /var/tmp/.pam_netns.1234)
>> - bind mount /var/tmp/.pam_netns.1234 to /tmp/.X11-unix/X0
>> - use splice to proxy the traffic between the real /tmp/.X11-unix/X0
>> and /var/tmp/.pam_netns.1234
>
> I tried this setup for /dev/log:
>
> 1) create a PF_UNIX/SOCK_DGRAM and connect it to /dev/log
> 2) unshare(CLONE_NEWNET)
> 3) start proxy from /dev/log.1234 to /dev/log using fd from 1)
> 4) bind-mount /dev/log.1234 on /dev/log
>
> Then I get a loop: sending messages to /dev/log, the proxy sends them
> to the connected socket from 1) which results in getting the messages
> again and again.
> This also happens if 2) is unshare(CLONE_NEWNET | CLONE_NEWNS).
>
> Any ideas?
Is it possible to see the code ?
More information about the lxc-devel
mailing list