Unprivileged WireGuard

Unprivileged WireGuard

[mindless]

Lately I've been fiddling around with namespaces and I thought that
it would be great to have an ability to create wireguard interfaces 
without
requiring CAP_NET_ADMIN.

In Linux, any user can unshare into a new user namespace and
gain all capabilities there and simultaneously the user can unshare into 
a
new network namespace, thus gaining an ability to create any network 
interface
in the newly created namespace. The only problem we are facing now is 
that
since we are in the new network namespace, we can't reach the outside 
network
via physical/whatever interfaces the initial network namespace had.

The problem is trivially solved when using any TUN-based implementation 
(such as
wireguard-go): create UDP socket for wireguard traffic in the initial 
network
namespace and then don't close the resulting file descriptor while 
unsharing,
after unsharing use this socket for sending and receiving encapsulated 
traffic.
Binding and listening on non-privilged ports is allowed for all users.

However, for the kernel implementation this problem is unsolvable 
because it
creates sockets in kernel by itself. I guess, one could pass the 
socket's fd
number via netlink, the kernel module would then look it up in the 
task_struct
of the netlink peer and then use this socket for initialization. But 
there is
no way to invalidate the socket fd in the userspace so we have to count 
on user
to not to use it in any way after having sent it via netlink.

Is this a viable solution? Forgive me if I'm spewing nonsense, I have 
never
touched kernel code in any way.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard