kern/51963: sockets in chroot sandbox via null-mounts don't work

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/51963: sockets in chroot sandbox via null-mounts don't work
From: paul%whooppee.com@localhost
Date: Fri, 10 Feb 2017 06:15:00 +0000 (UTC)

>Number:         51963
>Category:       kern
>Synopsis:       sockets in chroot sandbox via null-mounts don't work
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 10 06:15:00 +0000 2017
>Originator:     Paul Goyette
>Release:        NetBSD 7.99.53
>Organization:
+------------------+--------------------------+------------------------+
| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:      |
| (Retired)        | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com   |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd.org |
+------------------+--------------------------+------------------------+
>Environment:
	
	
System: NetBSD speedy.whooppee.com 7.99.53 NetBSD 7.99.53 (SPEEDY 2016-12-31 23:00:24) #1: Sun Jan 1 01:39:34 UTC 2017 paul%speedy.whooppee.com@localhost:/build/netbsd-local/obj/amd64/sys/arch/amd64/compile/SPEEDY amd64
Architecture: x86_64
Machine: amd64
>Description:
Sockets within a sandbox created by null-mounts don't work.  See below.
	
>How-To-Repeat:
1. Start an X server outside of the sandbox
2. Create and mount a sandbox using null-mounts.  The pkgtools/sandbox
   utility can easily do this.  Be sure to add /tmp and /home to the
   list of file-systems which should be null-mounted within the sandbox
3. From outside the sandbox, run xev and observe that it works
4. From inside the sandbox, run xev and note that it fails when trying
   to connect to the unix socket for the X server, with ECONNREFUSED
   (errno = 61)
5. Now, install the net/socat package
6. Use socat to create a socket within the sandbox and relay data to the
   real socket

	socat unix-listen:/path/to/chroot/tmp/.X11-unix/X123,mode=0777,reuseaddr,fork unix-connect:/tmp/.X11-unix/X0 &
7. Use xauth to copy authentication records for the unix:0 server to the
   unix:123 server (handled by socat's listener socket)
8. Make sure your XAUTHORITY file is accessible within the sandbox
9. Re-run xev with '-display unix:123' option and note that it connects!
	
>Fix:
Not known, but suspicion is that x v->v_socket is never reflected in ther
 layer vnode.  So when unp_connect uses that, it gets nothing.

	...
	/* Acquire v_interlock to protect against unp_detach(). */
	mutex_enter(vp->v_interlock);
	so2 = vp->v_socket;
	if (so2 == NULL) {
		mutex_exit(vp->v_interlock);
		error = ECONNREFUSED;
		goto bad;
	}
	...
	

>Unformatted:

Prev by Date: port-evbarm/51962: crossbuild for evbarm on Darwin broken
Next by Date: Re: lib/51819 (curses vs. news/tin display problems)
Previous by Thread: port-evbarm/51962: crossbuild for evbarm on Darwin broken
Next by Thread: Re: kern/51963: sockets in chroot sandbox via null-mounts don't work
Indexes:

Home | Main Index | Thread Index | Old Index