WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Unprivileged WireGuard
@ 2019-09-01 17:22 mindless
  0 siblings, 0 replies; only message in thread
From: mindless @ 2019-09-01 17:22 UTC (permalink / raw)
  To: wireguard

Lately I've been fiddling around with namespaces and I thought that
it would be great to have an ability to create wireguard interfaces 
requiring CAP_NET_ADMIN.

In Linux, any user can unshare into a new user namespace and
gain all capabilities there and simultaneously the user can unshare into 
new network namespace, thus gaining an ability to create any network 
in the newly created namespace. The only problem we are facing now is 
since we are in the new network namespace, we can't reach the outside 
via physical/whatever interfaces the initial network namespace had.

The problem is trivially solved when using any TUN-based implementation 
(such as
wireguard-go): create UDP socket for wireguard traffic in the initial 
namespace and then don't close the resulting file descriptor while 
after unsharing use this socket for sending and receiving encapsulated 
Binding and listening on non-privilged ports is allowed for all users.

However, for the kernel implementation this problem is unsolvable 
because it
creates sockets in kernel by itself. I guess, one could pass the 
socket's fd
number via netlink, the kernel module would then look it up in the 
of the netlink peer and then use this socket for initialization. But 
there is
no way to invalidate the socket fd in the userspace so we have to count 
on user
to not to use it in any way after having sent it via netlink.

Is this a viable solution? Forgive me if I'm spewing nonsense, I have 
touched kernel code in any way.
WireGuard mailing list

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-01 17:22 Unprivileged WireGuard mindless

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard

Newsgroup available over NNTP:

AGPL code for this site: git clone https://public-inbox.org/ public-inbox