WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* bypassing wireguard using firejail
@ 2019-05-10 11:54 Sitaram Chamarty
  2019-05-10 14:06 ` Jordan Glover
       [not found] ` <CAJ6XMjFxfm=0L2URLzn8pkZY1y4zU+mskgd7ykRKOjXSza4tSA@mail.gmail.com>
  0 siblings, 2 replies; 7+ messages in thread
From: Sitaram Chamarty @ 2019-05-10 11:54 UTC (permalink / raw)
  To: wireguard

I am able to bypass the VPN by using firejail (which is a
sandbox program to run untrusted applications).

Below, the IP addresses and domain names are fake but that
should not matter:

    # wg
    interface: wg0
      public key: ....
      private key: (hidden)
      listening port: 59457
      fwmark: 0xca6c

    peer: ....
      endpoint: 11.22.33.44:51820
      allowed ips: 0.0.0.0/0
      latest handshake: 41 seconds ago
      transfer: 35.42 MiB received, 2.74 MiB sent

    $ curl zx2c4.com/ip
    11.22.33.44                 <--- my wg VPN end point IP
    static.44.33.22.11.elided.tld
    curl/7.64.0

    $ firejail --net=wlp2s0 --dns=8.8.8.8 curl zx2c4.com/ip
    55.66.77.88                 <--- my actual external IP
    elided.hostname.myisp.in
    curl/7.64.0

My questions:

1.  I know firejail is suid root, but still... is there any way
    to prevent this from happening, or at least make it less
    trivial?

    I'm OK with a "this is the way it is, if your untrusted app
    is running as root you're already toast" response; just want
    to make sure I'm not missing a bet here.

2.  I guess I don't know as much about Linux networking as I
    *thought* I knew, especially about policy routing, so I am
    feeling a bit lost here.

    I would prefer not to have to learn lots of things about
    policy routing and so on, so I wonder if there is a simple,
    (wireguard-specific, if possible) explanation of how linux
    policy routing and iptables work behind the scenes to direct
    packets when wireguard is in play?

regards
sitaram
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: bypassing wireguard using firejail
  2019-05-10 11:54 bypassing wireguard using firejail Sitaram Chamarty
@ 2019-05-10 14:06 ` Jordan Glover
  2019-05-10 14:39   ` Sitaram Chamarty
       [not found] ` <CAJ6XMjFxfm=0L2URLzn8pkZY1y4zU+mskgd7ykRKOjXSza4tSA@mail.gmail.com>
  1 sibling, 1 reply; 7+ messages in thread
From: Jordan Glover @ 2019-05-10 14:06 UTC (permalink / raw)
  To: Sitaram Chamarty; +Cc: wireguard

On Friday, May 10, 2019 11:54 AM, Sitaram Chamarty <sitaramc@gmail.com> wrote:

> I am able to bypass the VPN by using firejail (which is a
> sandbox program to run untrusted applications).
>
> Below, the IP addresses and domain names are fake but that
> should not matter:
>
> # wg
> interface: wg0
> public key: ....
> private key: (hidden)
> listening port: 59457
> fwmark: 0xca6c
>
> peer: ....
> endpoint: 11.22.33.44:51820
> allowed ips: 0.0.0.0/0
> latest handshake: 41 seconds ago
> transfer: 35.42 MiB received, 2.74 MiB sent
>
> $ curl zx2c4.com/ip
> 11.22.33.44 <--- my wg VPN end point IP
> static.44.33.22.11.elided.tld
> curl/7.64.0
>
> $ firejail --net=wlp2s0 --dns=8.8.8.8 curl zx2c4.com/ip
> 55.66.77.88 <--- my actual external IP
> elided.hostname.myisp.in
> curl/7.64.0
>
> My questions:
>
> 1.  I know firejail is suid root, but still... is there any way
>     to prevent this from happening, or at least make it less
>     trivial?
>
>     I'm OK with a "this is the way it is, if your untrusted app
>     is running as root you're already toast" response; just want
>     to make sure I'm not missing a bet here.
>
> 2.  I guess I don't know as much about Linux networking as I
>     thought I knew, especially about policy routing, so I am
>     feeling a bit lost here.
>
>     I would prefer not to have to learn lots of things about
>     policy routing and so on, so I wonder if there is a simple,
>     (wireguard-specific, if possible) explanation of how linux
>     policy routing and iptables work behind the scenes to direct
>     packets when wireguard is in play?
>
>     regards
>     sitaram
>
>

This is known firejail feature[1]. If you want to prevent yourself
from this footgun you may add "restricted-network yes" in
/etc/firejail/firejail.config

I don't see anything from wireguard to do here. If system admin want
to bypass the routes, they will.

[1] https://github.com/netblue30/firejail/issues/2665

Jordan

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: bypassing wireguard using firejail
  2019-05-10 14:06 ` Jordan Glover
@ 2019-05-10 14:39   ` Sitaram Chamarty
  0 siblings, 0 replies; 7+ messages in thread
From: Sitaram Chamarty @ 2019-05-10 14:39 UTC (permalink / raw)
  To: Jordan Glover; +Cc: wireguard

On Fri, May 10, 2019 at 02:06:04PM +0000, Jordan Glover wrote:
> On Friday, May 10, 2019 11:54 AM, Sitaram Chamarty <sitaramc@gmail.com> wrote:
> 
> > I am able to bypass the VPN by using firejail (which is a
> > sandbox program to run untrusted applications).
> >
> > Below, the IP addresses and domain names are fake but that
> > should not matter:
> >
> > # wg
> > interface: wg0
> > public key: ....
> > private key: (hidden)
> > listening port: 59457
> > fwmark: 0xca6c
> >
> > peer: ....
> > endpoint: 11.22.33.44:51820
> > allowed ips: 0.0.0.0/0
> > latest handshake: 41 seconds ago
> > transfer: 35.42 MiB received, 2.74 MiB sent
> >
> > $ curl zx2c4.com/ip
> > 11.22.33.44 <--- my wg VPN end point IP
> > static.44.33.22.11.elided.tld
> > curl/7.64.0
> >
> > $ firejail --net=wlp2s0 --dns=8.8.8.8 curl zx2c4.com/ip
> > 55.66.77.88 <--- my actual external IP
> > elided.hostname.myisp.in
> > curl/7.64.0
> >
> > My questions:
> >
> > 1.  I know firejail is suid root, but still... is there any way
> >     to prevent this from happening, or at least make it less
> >     trivial?
> >
> >     I'm OK with a "this is the way it is, if your untrusted app
> >     is running as root you're already toast" response; just want
> >     to make sure I'm not missing a bet here.
> >
> > 2.  I guess I don't know as much about Linux networking as I
> >     thought I knew, especially about policy routing, so I am
> >     feeling a bit lost here.
> >
> >     I would prefer not to have to learn lots of things about
> >     policy routing and so on, so I wonder if there is a simple,
> >     (wireguard-specific, if possible) explanation of how linux
> >     policy routing and iptables work behind the scenes to direct
> >     packets when wireguard is in play?
> >
> >     regards
> >     sitaram
> >
> >
> 
> This is known firejail feature[1]. If you want to prevent yourself
> from this footgun you may add "restricted-network yes" in
> /etc/firejail/firejail.config

Thanks.

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Fwd: bypassing wireguard using firejail
       [not found] ` <CAJ6XMjFxfm=0L2URLzn8pkZY1y4zU+mskgd7ykRKOjXSza4tSA@mail.gmail.com>
@ 2019-05-10 16:18   ` " Steve Dodd
  2019-05-11  1:08     ` Sitaram Chamarty
  0 siblings, 1 reply; 7+ messages in thread
From: Steve Dodd @ 2019-05-10 16:18 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 641 bytes --]

[sent to author only originally by mistake - I hate Gmail]

On Fri, 10 May 2019 at 12:56, Sitaram Chamarty <sitaramc@gmail.com> wrote:

> I am able to bypass the VPN by using firejail (which is a
> sandbox program to run untrusted applications).
>

I'm not 100% clear on your setup .. Have you got a network namespace set
up? If not, you haven't got much security anyway, I suspect. It turns out
it's not too hard .. you're welcome to my hacky scripts if you're
interested.

Not sure if firejail would still be able to escape a network namespace by
default, but I'm sure it's possible to drop a capability somewhere or
similar if it is.

S.

[-- Attachment #1.2: Type: text/html, Size: 1103 bytes --]

<div dir="ltr"><div class="gmail_quote">[sent to author only originally by mistake - I hate Gmail]</div><div class="gmail_quote"><br><div dir="ltr"><div dir="ltr">On Fri, 10 May 2019 at 12:56, Sitaram Chamarty &lt;<a href="mailto:sitaramc@gmail.com" target="_blank">sitaramc@gmail.com</a>&gt; wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I am able to bypass the VPN by using firejail (which is a<br>
sandbox program to run untrusted applications).<br></blockquote><div><br></div><div>I&#39;m not 100% clear on your setup .. Have you got a network namespace set up? If not, you haven&#39;t got much security anyway, I suspect. It turns out it&#39;s not too hard .. you&#39;re welcome to my hacky scripts if you&#39;re interested.</div><div><br></div><div>Not sure if firejail would still be able to escape a network namespace by default, but I&#39;m sure it&#39;s possible to drop a capability somewhere or similar if it is.</div><div><br></div><div>S.</div></div></div>
</div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Fwd: bypassing wireguard using firejail
  2019-05-10 16:18   ` Fwd: " Steve Dodd
@ 2019-05-11  1:08     ` Sitaram Chamarty
  2019-05-11 11:34       ` Steve Dodd
  0 siblings, 1 reply; 7+ messages in thread
From: Sitaram Chamarty @ 2019-05-11  1:08 UTC (permalink / raw)
  To: Steve Dodd; +Cc: wireguard

On Fri, May 10, 2019 at 05:18:39PM +0100, Steve Dodd wrote:
> [sent to author only originally by mistake - I hate Gmail]
> 
> On Fri, 10 May 2019 at 12:56, Sitaram Chamarty <sitaramc@gmail.com> wrote:
> 
> > I am able to bypass the VPN by using firejail (which is a
> > sandbox program to run untrusted applications).
> >
> 
> I'm not 100% clear on your setup .. Have you got a network namespace set
> up? If not, you haven't got much security anyway, I suspect. It turns out
> it's not too hard .. you're welcome to my hacky scripts if you're
> interested.

I don't think it has anything to do with my wireguard setup.

If you meant firejail setup, it is when I use "--net" (which,
according to the manpage, "Enable[s] a new network namespace and
connect[s] it to this ethernet interface", that the bypass
happens.

> Not sure if firejail would still be able to escape a network namespace by
> default, but I'm sure it's possible to drop a capability somewhere or
> similar if it is.

The answer, as I'd kinda suspected (and indicated in my original
mail) is that root can always bypass the vpn.  For firejail
specifically there's a setting (thanks Jordan Glover) to prevent
that specific escape, which I have now set.

Some other tool, if it's running as root or is suid root, can
still bypass wireguard, regardless of how it is setup.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Fwd: bypassing wireguard using firejail
  2019-05-11  1:08     ` Sitaram Chamarty
@ 2019-05-11 11:34       ` Steve Dodd
  2019-05-14  4:05         ` Sitaram Chamarty
  0 siblings, 1 reply; 7+ messages in thread
From: Steve Dodd @ 2019-05-11 11:34 UTC (permalink / raw)
  To: Sitaram Chamarty; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1669 bytes --]

On Sat, 11 May 2019 at 02:09, Sitaram Chamarty <sitaramc@gmail.com> wrote:

> On Fri, May 10, 2019 at 05:18:39PM +0100, Steve Dodd wrote:
>


> > I'm not 100% clear on your setup .. Have you got a network namespace set
> > up? If not, you haven't got much security anyway, I suspect. It turns out
> > it's not too hard .. you're welcome to my hacky scripts if you're
> > interested.
>
> I don't think it has anything to do with my wireguard setup.
>

Network namespaces are worth looking into - it's what I used to avoid
things "escaping" the VPN. They literally can't see any other interfaces,
get their own routing table, etc.

Hacky scripts:

setup: https://pastebin.com/TChbUfL5
teardown: https://pastebin.com/ghYGJQEw
runas: https://pastebin.com/h9vEvryt (this needs to be run by sudo - edit
sudoers appropriately)

WG website has gory details:

https://www.wireguard.com/netns/


> If you meant firejail setup, it is when I use "--net" (which,
> according to the manpage, "Enable[s] a new network namespace and
> connect[s] it to this ethernet interface", that the bypass
> happens.
>

I was meaning setting up a namespace before running firejail .. I actually
find it's tidier and avoids confusion about default routes, etc. Then the
interesting question would be if firejail could break out of that
namespace, and if so how to stop it.


> Some other tool, if it's running as root or is suid root, can
> still bypass wireguard, regardless of how it is setup.
>

I suspect that can be prevented - on modern systems being root isn't
necessarily the be-all and end-all. Capabilities and namespaces can still
be used to  constrain applications in lots of ways.

S.

[-- Attachment #1.2: Type: text/html, Size: 2957 bytes --]

<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">On Sat, 11 May 2019 at 02:09, Sitaram Chamarty &lt;<a href="mailto:sitaramc@gmail.com">sitaramc@gmail.com</a>&gt; wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, May 10, 2019 at 05:18:39PM +0100, Steve Dodd wrote:<br></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">&gt; I&#39;m not 100% clear on your setup .. Have you got a network namespace set<br>
&gt; up? If not, you haven&#39;t got much security anyway, I suspect. It turns out<br>
&gt; it&#39;s not too hard .. you&#39;re welcome to my hacky scripts if you&#39;re<br>
&gt; interested.<br>
<br>
I don&#39;t think it has anything to do with my wireguard setup.<br></blockquote><div><br></div><div>Network namespaces are worth looking into - it&#39;s what I used to avoid things &quot;escaping&quot; the VPN. They literally can&#39;t see any other interfaces, get their own routing table, etc.</div><div> </div><div>Hacky scripts:</div><div><br></div><div>setup: <a href="https://pastebin.com/TChbUfL5">https://pastebin.com/TChbUfL5</a></div><div>teardown: <a href="https://pastebin.com/ghYGJQEw">https://pastebin.com/ghYGJQEw</a><br></div><div>runas: <a href="https://pastebin.com/h9vEvryt">https://pastebin.com/h9vEvryt</a> (this needs to be run by sudo - edit sudoers appropriately)</div><div><br></div><div>WG website has gory details:</div><div><br></div><div><a href="https://www.wireguard.com/netns/">https://www.wireguard.com/netns/</a><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
If you meant firejail setup, it is when I use &quot;--net&quot; (which,<br>
according to the manpage, &quot;Enable[s] a new network namespace and<br>
connect[s] it to this ethernet interface&quot;, that the bypass<br>
happens.<br></blockquote><div><br></div><div>I was meaning setting up a namespace before running firejail .. I actually find it&#39;s tidier and avoids confusion about default routes, etc. Then the interesting question would be if firejail could break out of that namespace, and if so how to stop it.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Some other tool, if it&#39;s running as root or is suid root, can<br>
still bypass wireguard, regardless of how it is setup.<br></blockquote><div><br></div><div>I suspect that can be prevented - on modern systems being root isn&#39;t necessarily the be-all and end-all. Capabilities and namespaces can still be used to  constrain applications in lots of ways.</div><div><br></div><div>S.</div></div></div></div></div></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Fwd: bypassing wireguard using firejail
  2019-05-11 11:34       ` Steve Dodd
@ 2019-05-14  4:05         ` Sitaram Chamarty
  0 siblings, 0 replies; 7+ messages in thread
From: Sitaram Chamarty @ 2019-05-14  4:05 UTC (permalink / raw)
  To: Steve Dodd; +Cc: wireguard



On 11/05/2019 17.04, Steve Dodd wrote:
> On Sat, 11 May 2019 at 02:09, Sitaram Chamarty <sitaramc@gmail.com
> <mailto:sitaramc@gmail.com>> wrote:

>     Some other tool, if it's running as root or is suid root, can
>     still bypass wireguard, regardless of how it is setup.
> 
> 
> I suspect that can be prevented - on modern systems being root isn't
> necessarily the be-all and end-all. Capabilities and namespaces can
> still be used to  constrain applications in lots of ways.

Thanks for the links.  I had not read the netns page on wireguard.com
till now.

The last section of that page, "the new namespace solution", appears to
do exactly this; I'm going to try that out when I get some time.

thanks again
sitaram
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-10 11:54 bypassing wireguard using firejail Sitaram Chamarty
2019-05-10 14:06 ` Jordan Glover
2019-05-10 14:39   ` Sitaram Chamarty
     [not found] ` <CAJ6XMjFxfm=0L2URLzn8pkZY1y4zU+mskgd7ykRKOjXSza4tSA@mail.gmail.com>
2019-05-10 16:18   ` Fwd: " Steve Dodd
2019-05-11  1:08     ` Sitaram Chamarty
2019-05-11 11:34       ` Steve Dodd
2019-05-14  4:05         ` Sitaram Chamarty

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox