[PATCH 0/7] Allow changing the transit namespace

Julian Orth ju.orth at gmail.com
Sat Sep 8 14:18:34 CEST 2018 

This series allows users to change the transit namespace after the
Wireguard device has been created. The transit namespace is the
namespace in which the Wireguard UDP socket lives.

This allows Wireguard to be used in unprivileged containers [1]. This is
based on the following observation:

* Within the unprivileged container, the user has CAP_NET_ADMIN and can
  create a Wireguard device.
* In the init namespace, the user can create a UDP socket and bind to an
  unprivileged port.

Therefore, the following is possbile as an ordinary user:

$ unshare -r -U
$ export SAVED_PID=$$
$ unshare -n
$ ip link add wg0 type wireguard
$ wg set wg0 transit-net $SAVED_PID

wg(1) accepts the following new argument:

wg set <device> transit-net <pid|file-path>

The distinction is made based on the format of the argument. If it is an
unsigned 32 bit integer, then it is interpreted as a process id.
Otherwise it is interpreted as a file path. /proc does not need to be
mounted to use the process id interpretation. To force the
interpretation as a file-path, use a ./ prefix.

[1] https://stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/

Julian Orth (7):
  device: protect socket_init with device_update_lock
  device: rename creating_net to transit_net
  device: store a copy of the device net
  socket: allow modification of transit_net
  netlink: allow setting of transit net
  tools: allow setting of transit net
  tests: add test for transit-net

 src/device.c           | 46 ++++++++++++++++++++++++-------------
 src/device.h           |  6 +++--
 src/netlink.c          | 52 ++++++++++++++++++++++++++++++++----------
 src/socket.c           | 18 ++++++++-------
 src/socket.h           |  6 ++---
 src/tests/netns.sh     | 40 ++++++++++++++++++++++++++++++++
 src/tools/config.c     | 32 ++++++++++++++++++++++++++
 src/tools/containers.h |  6 ++++-
 src/tools/ipc.c        |  4 ++++
 src/tools/man/wg.8     |  9 ++++++--
 src/tools/set.c        |  2 +-
 src/uapi/wireguard.h   | 12 +++++++---
 12 files changed, 185 insertions(+), 48 deletions(-)

-- 
2.18.0

More information about the WireGuard mailing list