NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/51963: sockets in chroot sandbox via null-mounts don't work
>Number: 51963
>Category: kern
>Synopsis: sockets in chroot sandbox via null-mounts don't work
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Feb 10 06:15:00 +0000 2017
>Originator: Paul Goyette
>Release: NetBSD 7.99.53
>Organization:
+------------------+--------------------------+------------------------+
| Paul Goyette | PGP Key fingerprint: | E-mail addresses: |
| (Retired) | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd.org |
+------------------+--------------------------+------------------------+
>Environment:
System: NetBSD speedy.whooppee.com 7.99.53 NetBSD 7.99.53 (SPEEDY 2016-12-31 23:00:24) #1: Sun Jan 1 01:39:34 UTC 2017 paul%speedy.whooppee.com@localhost:/build/netbsd-local/obj/amd64/sys/arch/amd64/compile/SPEEDY amd64
Architecture: x86_64
Machine: amd64
>Description:
Sockets within a sandbox created by null-mounts don't work. See below.
>How-To-Repeat:
1. Start an X server outside of the sandbox
2. Create and mount a sandbox using null-mounts. The pkgtools/sandbox
utility can easily do this. Be sure to add /tmp and /home to the
list of file-systems which should be null-mounted within the sandbox
3. From outside the sandbox, run xev and observe that it works
4. From inside the sandbox, run xev and note that it fails when trying
to connect to the unix socket for the X server, with ECONNREFUSED
(errno = 61)
5. Now, install the net/socat package
6. Use socat to create a socket within the sandbox and relay data to the
real socket
socat unix-listen:/path/to/chroot/tmp/.X11-unix/X123,mode=0777,reuseaddr,fork unix-connect:/tmp/.X11-unix/X0 &
7. Use xauth to copy authentication records for the unix:0 server to the
unix:123 server (handled by socat's listener socket)
8. Make sure your XAUTHORITY file is accessible within the sandbox
9. Re-run xev with '-display unix:123' option and note that it connects!
>Fix:
Not known, but suspicion is that x v->v_socket is never reflected in ther
layer vnode. So when unp_connect uses that, it gets nothing.
...
/* Acquire v_interlock to protect against unp_detach(). */
mutex_enter(vp->v_interlock);
so2 = vp->v_socket;
if (so2 == NULL) {
mutex_exit(vp->v_interlock);
error = ECONNREFUSED;
goto bad;
}
...
>Unformatted:
Home |
Main Index |
Thread Index |
Old Index