From: Steve Dodd <steved424@gmail.com>
To: Sitaram Chamarty <sitaramc@gmail.com>
Cc: wireguard@lists.zx2c4.com
Subject: Re: Fwd: bypassing wireguard using firejail
Date: Sat, 11 May 2019 12:34:18 +0100 [thread overview]
Message-ID: <CAJ6XMjFeO6uZRPts7w20qvkHoN7kZC6R4cH8s9BwF0nTU6rpCg@mail.gmail.com> (raw)
In-Reply-To: <20190511010857.GA15995@sita-dell>
[-- Attachment #1.1: Type: text/plain, Size: 1669 bytes --]
On Sat, 11 May 2019 at 02:09, Sitaram Chamarty <sitaramc@gmail.com> wrote:
> On Fri, May 10, 2019 at 05:18:39PM +0100, Steve Dodd wrote:
>
> > I'm not 100% clear on your setup .. Have you got a network namespace set
> > up? If not, you haven't got much security anyway, I suspect. It turns out
> > it's not too hard .. you're welcome to my hacky scripts if you're
> > interested.
>
> I don't think it has anything to do with my wireguard setup.
>
Network namespaces are worth looking into - it's what I used to avoid
things "escaping" the VPN. They literally can't see any other interfaces,
get their own routing table, etc.
Hacky scripts:
setup: https://pastebin.com/TChbUfL5
teardown: https://pastebin.com/ghYGJQEw
runas: https://pastebin.com/h9vEvryt (this needs to be run by sudo - edit
sudoers appropriately)
WG website has gory details:
https://www.wireguard.com/netns/
> If you meant firejail setup, it is when I use "--net" (which,
> according to the manpage, "Enable[s] a new network namespace and
> connect[s] it to this ethernet interface", that the bypass
> happens.
>
I was meaning setting up a namespace before running firejail .. I actually
find it's tidier and avoids confusion about default routes, etc. Then the
interesting question would be if firejail could break out of that
namespace, and if so how to stop it.
> Some other tool, if it's running as root or is suid root, can
> still bypass wireguard, regardless of how it is setup.
>
I suspect that can be prevented - on modern systems being root isn't
necessarily the be-all and end-all. Capabilities and namespaces can still
be used to constrain applications in lots of ways.
S.
[-- Attachment #1.2: Type: text/html, Size: 2957 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-05-11 11:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-10 11:54 bypassing wireguard using firejail Sitaram Chamarty
2019-05-10 14:06 ` Jordan Glover
2019-05-10 14:39 ` Sitaram Chamarty
[not found] ` <CAJ6XMjFxfm=0L2URLzn8pkZY1y4zU+mskgd7ykRKOjXSza4tSA@mail.gmail.com>
2019-05-10 16:18 ` Fwd: " Steve Dodd
2019-05-11 1:08 ` Sitaram Chamarty
2019-05-11 11:34 ` Steve Dodd [this message]
2019-05-14 4:05 ` Sitaram Chamarty
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJ6XMjFeO6uZRPts7w20qvkHoN7kZC6R4cH8s9BwF0nTU6rpCg@mail.gmail.com \
--to=steved424@gmail.com \
--cc=sitaramc@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).