diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2018-12-28 16:51:34 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2018-12-30 15:59:30 +0100 |
commit | fd3276b09caec20156775965f2abf267f044b909 (patch) | |
tree | 8dfec378d81e893acd7e102894425337fdaed6e7 /src/main.c | |
parent | 45631d0203e9470896b1c03026a8ec256b58eda4 (diff) |
netlink: auth socket changes against namespace of socket
In WireGuard, the underlying UDP socket lives in the namespace where the
interface was created and doesn't move if the interface is moved. This
allows one to create the interface in some privileged place that has
Internet access, and then move it into a container namespace that only
has the WireGuard interface for egress. Consider the following
situation:
1. Interface created in namespace A. Socket therefore lives in namespace A.
2. Interface moved to namespace B. Socket remains in namespace A.
3. Namespace B now has access to the interface and changes the listen
port and/or fwmark of socket. Change is reflected in namespace A.
This behavior is arguably _fine_ and perhaps even expected or
acceptable. But there's also an argument to be made that B should have
A's cred to do so. So, this patch adds a simple ns_capable check.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'src/main.c')
0 files changed, 0 insertions, 0 deletions