From: Julian Orth <ju.orth@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: [PATCH 0/7] Allow changing the transit namespace
Date: Sat, 8 Sep 2018 14:18:34 +0200 [thread overview]
Message-ID: <20180908121841.8372-1-ju.orth@gmail.com> (raw)
This series allows users to change the transit namespace after the
Wireguard device has been created. The transit namespace is the
namespace in which the Wireguard UDP socket lives.
This allows Wireguard to be used in unprivileged containers [1]. This is
based on the following observation:
* Within the unprivileged container, the user has CAP_NET_ADMIN and can
create a Wireguard device.
* In the init namespace, the user can create a UDP socket and bind to an
unprivileged port.
Therefore, the following is possbile as an ordinary user:
$ unshare -r -U
$ export SAVED_PID=$$
$ unshare -n
$ ip link add wg0 type wireguard
$ wg set wg0 transit-net $SAVED_PID
wg(1) accepts the following new argument:
wg set <device> transit-net <pid|file-path>
The distinction is made based on the format of the argument. If it is an
unsigned 32 bit integer, then it is interpreted as a process id.
Otherwise it is interpreted as a file path. /proc does not need to be
mounted to use the process id interpretation. To force the
interpretation as a file-path, use a ./ prefix.
[1] https://stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
Julian Orth (7):
device: protect socket_init with device_update_lock
device: rename creating_net to transit_net
device: store a copy of the device net
socket: allow modification of transit_net
netlink: allow setting of transit net
tools: allow setting of transit net
tests: add test for transit-net
src/device.c | 46 ++++++++++++++++++++++++-------------
src/device.h | 6 +++--
src/netlink.c | 52 ++++++++++++++++++++++++++++++++----------
src/socket.c | 18 ++++++++-------
src/socket.h | 6 ++---
src/tests/netns.sh | 40 ++++++++++++++++++++++++++++++++
src/tools/config.c | 32 ++++++++++++++++++++++++++
src/tools/containers.h | 6 ++++-
src/tools/ipc.c | 4 ++++
src/tools/man/wg.8 | 9 ++++++--
src/tools/set.c | 2 +-
src/uapi/wireguard.h | 12 +++++++---
12 files changed, 185 insertions(+), 48 deletions(-)
--
2.18.0
next reply other threads:[~2018-09-08 12:18 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-08 12:18 Julian Orth [this message]
2018-09-08 12:18 ` [PATCH 1/7] device: protect socket_init with device_update_lock Julian Orth
2018-09-08 12:18 ` [PATCH 2/7] device: rename creating_net to transit_net Julian Orth
2018-09-08 12:18 ` [PATCH 3/7] device: store a copy of the device net Julian Orth
2018-09-08 12:18 ` [PATCH 4/7] socket: allow modification of transit_net Julian Orth
2018-09-08 12:18 ` [PATCH 5/7] netlink: allow setting of transit net Julian Orth
2018-09-08 14:03 ` Aaron Jones
2018-09-08 14:20 ` Julian Orth
2018-09-08 14:28 ` Aaron Jones
2018-09-08 12:18 ` [PATCH 6/7] tools: " Julian Orth
2018-09-08 14:04 ` Aaron Jones
2018-09-08 14:09 ` Aaron Jones
2018-09-08 14:18 ` Julian Orth
2018-09-08 14:25 ` Aaron Jones
2018-09-08 12:18 ` [PATCH 7/7] tests: add test for transit-net Julian Orth
2018-09-08 13:39 ` [PATCH 0/7] Allow changing the transit namespace Bruno Wolff III
2018-09-08 13:49 ` Julian Orth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180908121841.8372-1-ju.orth@gmail.com \
--to=ju.orth@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).