[lxc-devel] af_unix isolation
Wilhelm Meier
wilhelm.meier at fh-kl.de
Thu Nov 12 16:30:09 UTC 2009
Hi,
Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
>> Hi Daniel,
>>
>> Daniel Lezcano schrieb:
>>> Wilhelm Meier wrote:
>>>> Hi,
>>>>
>>>> is it possible to disable the isolation of AF_UNIX sockets? At least
>>>> between a parent and a child network namespace? Or is there any
>>>> other way that a child namespace can communicate with its parent
>>>> through an AF_UNIX socket?
>>>>
>>> Hi Wilheim,
>>>
>>> It is not possible to disable the AF_UNIX socket, there was a
>>> discussion about making possible to connect to an af_unix socket via
>>> the filesystem if it was visible but that was considered as
>>> potentially dangerous.
>>>
>>> Maybe you can do the following or something similar:
>>>
>>> - connect to the AF_UNIX socket before unsharing the namespace.
>>> - unshare the netns
>>> - create an af_unix socket somewhere (eg. /var/tmp/.pam_netns.1234)
>>> - bind mount /var/tmp/.pam_netns.1234 to /tmp/.X11-unix/X0
>>> - use splice to proxy the traffic between the real /tmp/.X11-unix/X0
>>> and /var/tmp/.pam_netns.1234
>>
>> I tried this setup for /dev/log:
>>
>> 1) create a PF_UNIX/SOCK_DGRAM and connect it to /dev/log
>> 2) unshare(CLONE_NEWNET)
>> 3) start proxy from /dev/log.1234 to /dev/log using fd from 1)
>> 4) bind-mount /dev/log.1234 on /dev/log
>>
>> Then I get a loop: sending messages to /dev/log, the proxy sends them
>> to the connected socket from 1) which results in getting the messages
>> again and again.
>> This also happens if 2) is unshare(CLONE_NEWNET | CLONE_NEWNS).
ok, this was my fault because I was using syslog() in the proxy. So the
proxy wan't to syslog some debug information resulting in a connect to
/dev/log, what was actually the bind-mounted socket. Then the proxy
reads its own syslog-message and sends it out again ...
Elimintating the syslog-call via the transfer and using ordenary
log-file solves the problem.
Now that this is working I ran into the next problem: if I try to use
the same approach for a stream socket (like /tmp/.X11-unix/X0) the can't
use a pre-connected socket from the parent-namespace. For every incoming
connection request it has to open a new connection to /tmp/.X11-unix/X0.
But if the proxy-socket is bind-mounted to this socket a loop results.
The only thing which comes into my mind is to use a helper daemon in the
parent-namespace connecting to /tmp/.X11-unix/X0 on demand of the proxy
and passing this fd to the proxy. To make this work the bind-mount in
the child-namespace must not only be a new network-namespace but also a
new fs-namespace.
Do you see a simpler solution?
--
Wilhelm
More information about the lxc-devel
mailing list