NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/51963: sockets in chroot sandbox via null-mounts don't work

>Number:         51963
>Category:       kern
>Synopsis:       sockets in chroot sandbox via null-mounts don't work
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 10 06:15:00 +0000 2017
>Originator:     Paul Goyette
>Release:        NetBSD 7.99.53
| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:      |
| (Retired)        | FA29 0E3B 35AF E8AE 6651 | paul at   |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at |
System: NetBSD 7.99.53 NetBSD 7.99.53 (SPEEDY 2016-12-31 23:00:24) #1: Sun Jan 1 01:39:34 UTC 2017 amd64
Architecture: x86_64
Machine: amd64
Sockets within a sandbox created by null-mounts don't work.  See below.
1. Start an X server outside of the sandbox
2. Create and mount a sandbox using null-mounts.  The pkgtools/sandbox
   utility can easily do this.  Be sure to add /tmp and /home to the
   list of file-systems which should be null-mounted within the sandbox
3. From outside the sandbox, run xev and observe that it works
4. From inside the sandbox, run xev and note that it fails when trying
   to connect to the unix socket for the X server, with ECONNREFUSED
   (errno = 61)
5. Now, install the net/socat package
6. Use socat to create a socket within the sandbox and relay data to the
   real socket

	socat unix-listen:/path/to/chroot/tmp/.X11-unix/X123,mode=0777,reuseaddr,fork unix-connect:/tmp/.X11-unix/X0 &
7. Use xauth to copy authentication records for the unix:0 server to the
   unix:123 server (handled by socat's listener socket)
8. Make sure your XAUTHORITY file is accessible within the sandbox
9. Re-run xev with '-display unix:123' option and note that it connects!
Not known, but suspicion is that x v->v_socket is never reflected in ther
 layer vnode.  So when unp_connect uses that, it gets nothing.

	/* Acquire v_interlock to protect against unp_detach(). */
	so2 = vp->v_socket;
	if (so2 == NULL) {
		goto bad;


Home | Main Index | Thread Index | Old Index