Unprivileged WireGuard
mindless at national.shitposting.agency
mindless at national.shitposting.agency
Sun Sep 1 19:22:31 CEST 2019
Lately I've been fiddling around with namespaces and I thought that
it would be great to have an ability to create wireguard interfaces
without
requiring CAP_NET_ADMIN.
In Linux, any user can unshare into a new user namespace and
gain all capabilities there and simultaneously the user can unshare into
a
new network namespace, thus gaining an ability to create any network
interface
in the newly created namespace. The only problem we are facing now is
that
since we are in the new network namespace, we can't reach the outside
network
via physical/whatever interfaces the initial network namespace had.
The problem is trivially solved when using any TUN-based implementation
(such as
wireguard-go): create UDP socket for wireguard traffic in the initial
network
namespace and then don't close the resulting file descriptor while
unsharing,
after unsharing use this socket for sending and receiving encapsulated
traffic.
Binding and listening on non-privilged ports is allowed for all users.
However, for the kernel implementation this problem is unsolvable
because it
creates sockets in kernel by itself. I guess, one could pass the
socket's fd
number via netlink, the kernel module would then look it up in the
task_struct
of the netlink peer and then use this socket for initialization. But
there is
no way to invalidate the socket fd in the userspace so we have to count
on user
to not to use it in any way after having sent it via netlink.
Is this a viable solution? Forgive me if I'm spewing nonsense, I have
never
touched kernel code in any way.
More information about the WireGuard
mailing list