Fwd: bypassing wireguard using firejail
Sitaram Chamarty
sitaramc at gmail.com
Tue May 14 06:05:32 CEST 2019
On 11/05/2019 17.04, Steve Dodd wrote:
> On Sat, 11 May 2019 at 02:09, Sitaram Chamarty <sitaramc at gmail.com
> <mailto:sitaramc at gmail.com>> wrote:
> Some other tool, if it's running as root or is suid root, can
> still bypass wireguard, regardless of how it is setup.
>
>
> I suspect that can be prevented - on modern systems being root isn't
> necessarily the be-all and end-all. Capabilities and namespaces can
> still be used to constrain applications in lots of ways.
Thanks for the links. I had not read the netns page on wireguard.com
till now.
The last section of that page, "the new namespace solution", appears to
do exactly this; I'm going to try that out when I get some time.
thanks again
sitaram
More information about the WireGuard
mailing list