Unprivileged WireGuard

mindless at national.shitposting.agency mindless at national.shitposting.agency
Sun Sep 1 19:22:31 CEST 2019

Lately I've been fiddling around with namespaces and I thought that
it would be great to have an ability to create wireguard interfaces 
requiring CAP_NET_ADMIN.

In Linux, any user can unshare into a new user namespace and
gain all capabilities there and simultaneously the user can unshare into 
new network namespace, thus gaining an ability to create any network 
in the newly created namespace. The only problem we are facing now is 
since we are in the new network namespace, we can't reach the outside 
via physical/whatever interfaces the initial network namespace had.

The problem is trivially solved when using any TUN-based implementation 
(such as
wireguard-go): create UDP socket for wireguard traffic in the initial 
namespace and then don't close the resulting file descriptor while 
after unsharing use this socket for sending and receiving encapsulated 
Binding and listening on non-privilged ports is allowed for all users.

However, for the kernel implementation this problem is unsolvable 
because it
creates sockets in kernel by itself. I guess, one could pass the 
socket's fd
number via netlink, the kernel module would then look it up in the 
of the netlink peer and then use this socket for initialization. But 
there is
no way to invalidate the socket fd in the userspace so we have to count 
on user
to not to use it in any way after having sent it via netlink.

Is this a viable solution? Forgive me if I'm spewing nonsense, I have 
touched kernel code in any way.

More information about the WireGuard mailing list