[lxc-devel] af_unix isolation

Wilhelm Meier wilhelm.meier at fh-kl.de
Thu Nov 12 16:30:09 UTC 2009


Hi,

Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
>> Hi Daniel,
>>
>> Daniel Lezcano schrieb:
>>> Wilhelm Meier wrote:
>>>> Hi,
>>>>
>>>> is it possible to disable the isolation of AF_UNIX sockets? At least 
>>>> between a parent and a child network namespace? Or is there any 
>>>> other way that a child namespace can communicate with its parent 
>>>> through an AF_UNIX socket?
>>>>   
>>> Hi Wilheim,
>>>
>>> It is not possible to disable the AF_UNIX socket, there was a 
>>> discussion about making possible to connect to an af_unix socket via 
>>> the filesystem if it was visible but that was considered as 
>>> potentially dangerous.
>>>
>>> Maybe you can do the following or something similar:
>>>
>>> - connect to the AF_UNIX socket before unsharing the namespace.
>>> - unshare the netns
>>> - create an af_unix socket somewhere (eg. /var/tmp/.pam_netns.1234)
>>> - bind mount /var/tmp/.pam_netns.1234 to /tmp/.X11-unix/X0
>>> - use splice to proxy the traffic between the real /tmp/.X11-unix/X0 
>>> and /var/tmp/.pam_netns.1234
>>
>> I tried this setup for /dev/log:
>>
>> 1) create a PF_UNIX/SOCK_DGRAM and connect it to /dev/log
>> 2) unshare(CLONE_NEWNET)
>> 3) start proxy from /dev/log.1234 to /dev/log using fd from 1)
>> 4) bind-mount /dev/log.1234 on /dev/log
>>
>> Then I get a loop: sending messages to /dev/log, the proxy sends them 
>> to the connected socket from 1) which results in getting the messages 
>> again and again.
>> This also happens if 2) is unshare(CLONE_NEWNET | CLONE_NEWNS).

ok, this was my fault because I was using syslog() in the proxy. So the 
proxy wan't to syslog some debug information resulting in a connect to 
/dev/log, what was actually the bind-mounted socket. Then the proxy 
reads its own syslog-message and sends it out again ...

Elimintating the syslog-call via the transfer and using ordenary 
log-file solves the problem.

Now that this is working I ran into the next problem: if I try to use 
the same approach for a stream socket (like /tmp/.X11-unix/X0) the can't 
use a pre-connected socket from the parent-namespace. For every incoming 
connection request it has to open a new connection to /tmp/.X11-unix/X0. 
But if the proxy-socket is bind-mounted to this socket a loop results.

The only thing which comes into my mind is to use a helper daemon in the 
parent-namespace connecting to /tmp/.X11-unix/X0 on demand of the proxy 
and passing this fd to the proxy. To make this work the bind-mount in 
the child-namespace must not only be a new network-namespace but also a 
new fs-namespace.

Do you see a simpler solution?

-- 
Wilhelm




More information about the lxc-devel mailing list