To be clear: The solution described for the transit-net case also applies to
the listen-port case:
Trying to change listen-port and/or transit-net should require CAP_SYS_ADMIN
in the transit namespace unless the user also proves access to that namespace
by passing an UDP socket from that
Hello list,
Consider the following scenario:
1. Sysadmin runs a hostile application `h1` in container `c1`.
2. Sysadmin creates a Wireguard device `wg0` in the init namespace.
3. Sysadmin moves `wg0` into `c1`.
4. On the same server, a user wishes to sometimes run an application `a1` that
The command is
wg set transit-credentials [,]
For example
wg set wg0 transit-credentials 100
wg set wg0 transit-credentials 100,101
---
src/tools/config.c | 30 ++
src/tools/containers.h | 4
src/tools/ipc.c| 4
src/tools/set.c| 2
The command is
wg set [...] transit-netns [...]
For example:
wg set wg0 transit-netns 1
wg set wg0 transit-netns /proc/1/ns/net
---
src/tools/config.c | 32
src/tools/containers.h | 6 +-
src/tools/ipc.c| 4
src/tools/man/wg.8 | 9
---
src/device.c | 20 ++--
src/device.h | 4 ++--
src/socket.c | 8
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/src/device.c b/src/device.c
index 88c228b..92aefc4 100644
--- a/src/device.c
+++ b/src/device.c
@@ -243,8 +243,8 @@ static void
---
src/tests/netns.sh | 40
1 file changed, 40 insertions(+)
diff --git a/src/tests/netns.sh b/src/tests/netns.sh
index 568612c..4cc6b44 100755
--- a/src/tests/netns.sh
+++ b/src/tests/netns.sh
@@ -222,6 +222,46 @@ n1 wg set wg0 peer "$more_specific_key"
This eliminates the need for have_transit_net_ref because
have_transit_net_ref == true if and only if dev_net != transit_net.
---
src/device.c | 27 +--
src/device.h | 4 +++-
2 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/src/device.c b/src/device.c
Two new attributes have been added:
* WGDEVICE_A_TRANSIT_CREDENTIALS_IPV4
* WGDEVICE_A_TRANSIT_CREDENTIALS_IPV6
If present, they have to refer to an IPv4 (resp. IPv6) UDP socket file
descriptor in the transit namespace. If the IPv6 fd is present, then the
IPv4 fd must also be present. If the
This commit adds two new arguments:
* WGDEVICE_A_TRANSIT_NETNS_PID
The argument is a U32 process id that refers to a process whose
network namespace is to be used as the transit namespace.
* WGDEVICE_A_TRANSIT_NETNS_FD
The argument is a U32 file descriptor that refers to a network
`set_port` in netlink.c races with `open` in device.c. This can cause
the following code flow:
* thread 1: set_port: device is not up
* thread 2: device is opened
* thread 2: open: called and calls socket_init with the original port
* thread 1: set_port: sets incoming_port to the new port and
v6 support.
[1] https://lists.zx2c4.com/pipermail/wireguard/2018-September/003322.html
Julian Orth (10):
device: protect socket_init with device_update_lock
device: rename creating_net to transit_net
device: store a copy of the device net
socket: allow modification of transit_net
---
src/device.c | 8 +---
src/netlink.c | 2 +-
src/socket.c | 18 ++
src/socket.h | 6 +++---
4 files changed, 19 insertions(+), 15 deletions(-)
diff --git a/src/device.c b/src/device.c
index 71c0662..2b7286b 100644
--- a/src/device.c
+++ b/src/device.c
@@ -54,7 +54,7
The calling process must have CAP_NET_ADMIN in the user namespace of the
transit namespace.
---
src/netlink.c| 11 +++
src/uapi/wireguard.h | 4
2 files changed, 15 insertions(+)
diff --git a/src/netlink.c b/src/netlink.c
index f74c23a..e7f8c69 100644
--- a/src/netlink.c
Hi,
Each Wireguard device remembers the network namespace in which it was created.
In the documentation this is called the birthplace namespace [1] but I'll be
calling it the transit namespace.
Let's say I create a Wireguard device `wg0` in a network namespace called
`vpn`. Then I would like to
Hi,
After receiving some positive feedback on IRC, I've gone ahead and implemented
this. You can see the code here:
https://github.com/mahkoh/wireguard/commits/transit-namespace
You can test it as follows:
* Create a new netns: ip netns add test
* Enter it: ip netns exec test bash
* Use
Hello Jason,
> That looks to me like a security vulnerability. User namespace sets
> listen-port to < 1024, and then moves it into the target namespace,
> and bam, controls subverted.
Luckily this is not the case. The kernel code called by Wireguard to create a
socket already checks that the
Hi Jason,
> I'd thought of this early on, but failed to come up with what seemed
> like an actually realistic use case for it.
How about creating Wireguard devices as a user that has no
privileges/capabilites in the init namespace?
$ unshare -r -U -m
$ mount --bind /proc/self/ns/net init-ns
$
---
src/device.c | 18 +++---
src/device.h | 1 +
src/netlink.c | 2 +-
src/socket.c | 18 ++
src/socket.h | 6 +++---
5 files changed, 30 insertions(+), 15 deletions(-)
diff --git a/src/device.c b/src/device.c
index cb54ae1..8f2660a 100644
--- a/src/device.c
`set_port` in netlink.c races with `open` in device.c. This can cause
the following code flow:
* thread 1: set_port: device is not up
* thread 2: device is opened
* thread 2: open: called and calls socket_init with the original port
* thread 1: set_port: sets incoming_port to the new port and
---
src/tests/netns.sh | 40
1 file changed, 40 insertions(+)
diff --git a/src/tests/netns.sh b/src/tests/netns.sh
index 568612c..4cfcf61 100755
--- a/src/tests/netns.sh
+++ b/src/tests/netns.sh
@@ -222,6 +222,46 @@ n1 wg set wg0 peer "$more_specific_key"
it is interpreted as a file path. /proc does not need to be
mounted to use the process id interpretation. To force the
interpretation as a file-path, use a ./ prefix.
[1] https://stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
Julian Orth (7):
device: protect socket_init with device_update_lock
The command is
wg set [...] transit-net [...]
For example:
wg set wg0 transit-net 1
wg set wg0 transit-net /proc/1/ns/net
---
src/tools/config.c | 32
src/tools/containers.h | 6 +-
src/tools/ipc.c| 4
src/tools/man/wg.8 | 9
This commit adds two new arguments:
* WGDEVICE_A_TRANSIT_NET_PID
The argument is a U32 process id that refers to a process whose
network namespace is to be used as the transit namespace.
* WGDEVICE_A_TRANSIT_NET_FD
The argument is a U32 file descriptor that refers to a network
On 9/8/18 3:39 PM, Bruno Wolff III wrote:
On Sat, Sep 08, 2018 at 14:18:34 +0200,
Julian Orth wrote:
wg set transit-net
The distinction is made based on the format of the argument. If it is an
unsigned 32 bit integer, then it is interpreted as a process id.
Otherwise it is interpreted
On 9/8/18 4:09 PM, Aaron Jones wrote:
On 08/09/18 12:18, Julian Orth wrote:
+static bool parse_transit_net(struct wgdevice *device, const char *arg)
+{
+ /* U32 arg -> PID */
+ if (isdigit(*arg)) {
+ char *end;
+ unsigned long pid = strtoul(arg, ,
On 9/8/18 4:03 PM, Aaron Jones wrote:
Does this handle file descriptor 0 (unlikely, but perfectly valid) ?
I believe so.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
---
src/device.c | 20 ++--
src/device.h | 4 ++--
src/netlink.c | 4 ++--
src/socket.c | 8
4 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/src/device.c b/src/device.c
index 49f9634..ebcd79c 100644
--- a/src/device.c
+++ b/src/device.c
@@ -243,8
This eliminates the need for have_transit_net_ref because
have_transit_net_ref == true if and only if dev_net != transit_net.
---
src/device.c | 27 +--
src/device.h | 4 +++-
2 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/src/device.c b/src/device.c
This commit adds two new attributes of which at most one may be
provided:
* WGDEVICE_A_TRANSIT_NETNS_PID: NLA_U32
* WGDEVICE_A_TRANSIT_NETNS_FD: NLA_U32
The transit namespace is then set to this namespace. The caller must
either be in this namespace or have CAP_NET_ADMIN in it.
---
---
src/netlink.c | 15 ---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
index 56749ba..ca90cdf 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -169,6 +169,7 @@ err:
static int get_device_start(struct netlink_callback *cb)
{
---
src/tools/containers.h | 3 +++
src/tools/genkey.c | 3 ++-
src/tools/pubkey.c | 3 ++-
src/tools/set.c | 3 ++-
src/tools/setconf.c | 3 ++-
src/tools/show.c| 3 ++-
src/tools/showconf.c| 3 ++-
src/tools/subcommands.h | 14 ++-
This commit adds two new attributes of which at most one may be
provided:
* WGDEVICE_A_DEV_NETNS_PID: NLA_U32
* WGDEVICE_A_DEV_NETNS_FD: NLA_U32
The Wireguard device is then looked up in this namespace instead of the
namespace of the netlink socket.
---
src/netlink.c| 82
---
src/device.c | 8 +---
src/netlink.c | 2 +-
src/socket.c | 18 ++
src/socket.h | 6 +++---
4 files changed, 19 insertions(+), 15 deletions(-)
diff --git a/src/device.c b/src/device.c
index ddb8fd7..a0b771b 100644
--- a/src/device.c
+++ b/src/device.c
@@ -54,7 +54,7
Hello list,
This series is simply v3 [1] rebased on master.
Julian
[1] https://lists.zx2c4.com/pipermail/wireguard/2018-September/003358.html
Julian Orth (12):
device: protect socket_init with device_update_lock
netlink: check for CAP_NET_ADMIN manually
netlink: allow specifying
`set_port` in netlink.c races with `open` in device.c. This can cause
the following code flow:
* thread 1: set_port: device is not up
* thread 2: device is opened
* thread 2: open: called and calls socket_init with the original port
* thread 1: set_port: sets incoming_port to the new port and
e mode 100644
index 000..73ce762
--- /dev/null
+++ b/src/tools/netns.c
@@ -0,0 +1,62 @@
+/* SPDX-License-Identifier: GPL-2.0
+ *
+ * Copyright (C) 2018 Julian orth . All Rights Reserved.
+ */
+
+#include
+#include
+#include
+#include
+
+#include "netns.h"
+
+struct wgnet
The command is
wg set [...] transit-netns [...]
For example:
wg set wg0 transit-netns 1
wg set wg0 transit-netns /proc/1/ns/net
---
src/tools/config.c | 8
src/tools/containers.h | 5 -
src/tools/ipc.c| 4
src/tools/man/wg.8 | 9 +++--
src/tools/set.c
---
src/tests/netns.sh | 40
1 file changed, 40 insertions(+)
diff --git a/src/tests/netns.sh b/src/tests/netns.sh
index 568612c..4cc6b44 100755
--- a/src/tests/netns.sh
+++ b/src/tests/netns.sh
@@ -222,6 +222,46 @@ n1 wg set wg0 peer "$more_specific_key"
On 10/7/18 4:11 PM, Julian Orth wrote:
> +static int set_socket(struct wireguard_device *wg, struct nlattr **attrs)
> {
[...]
>
> - ret = test_socket_net_capable(wg->transit_net);
> + ret = test_socket_net_capable(net ? : wg->transit_net);
This is wrong. The capab
On 10/7/18 5:48 PM, Jason A. Donenfeld wrote:
> set_device takes rtnl_lock(), and ndo_open is called while holding the
> rtnl lock too. (Try adding `BUG_ON(!rtnl_is_locked());` there.)
I've confirmed this and will remove this patch from the next version.
On 12/15/18 5:56 PM, Julian Orth wrote:
> + ret = test_socket_net_capable(net ? : wg->transit_net);
I forgot to include the fix mentioned in [1]. I have fixed the commit in the
repository and I'll include the diff below.
diff --git a/src/netlink.c b/src/netlink.c
index f5c3a9e..90ff936
---
src/device.c | 6 +++---
src/netlink.c | 2 +-
src/socket.c | 18 ++
src/socket.h | 6 +++---
4 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/src/device.c b/src/device.c
index 0c0c17b..18b4587 100644
--- a/src/device.c
+++ b/src/device.c
@@ -53,7 +53,7
and
* the code has been rebased on master.
Julian
Julian Orth (11):
netlink: check for CAP_NET_ADMIN manually
netlink: allow specifying the device namespace
netlink: restrict access to the UDP socket
device: rename creating_net to transit_net
device: store a copy of the device net
socket: allow
This commit adds two new attributes of which at most one may be
provided:
* WGDEVICE_A_TRANSIT_NETNS_PID: NLA_U32
* WGDEVICE_A_TRANSIT_NETNS_FD: NLA_U32
The transit namespace is then set to this namespace. The caller must
either be in this namespace or have CAP_NET_ADMIN in it.
---
---
src/device.c | 20 ++--
src/device.h | 4 ++--
src/netlink.c | 4 ++--
src/socket.c | 8
4 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/src/device.c b/src/device.c
index 877000b..ae4b9ad 100644
--- a/src/device.c
+++ b/src/device.c
@@ -251,8
---
src/tools/containers.h | 3 +++
src/tools/genkey.c | 3 ++-
src/tools/pubkey.c | 3 ++-
src/tools/set.c | 3 ++-
src/tools/setconf.c | 3 ++-
src/tools/show.c| 3 ++-
src/tools/showconf.c| 3 ++-
src/tools/subcommands.h | 14 ++-
etns.c
new file mode 100644
index 000..73ce762
--- /dev/null
+++ b/src/tools/netns.c
@@ -0,0 +1,62 @@
+/* SPDX-License-Identifier: GPL-2.0
+ *
+ * Copyright (C) 2018 Julian orth . All Rights Reserved.
+ */
+
+#include
+#include
+#include
+#include
+
+#include "netns.h"
+
+struct wgnet
---
src/netlink.c | 15 ---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
index 18bebb8..364d4d8 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -163,6 +163,7 @@ err:
static int wg_get_device_start(struct netlink_callback *cb)
{
This commit adds two new attributes of which at most one may be
provided:
* WGDEVICE_A_DEV_NETNS_PID: NLA_U32
* WGDEVICE_A_DEV_NETNS_FD: NLA_U32
The Wireguard device is then looked up in this namespace instead of the
namespace of the netlink socket.
---
src/netlink.c| 82
---
src/tests/netns.sh | 40
1 file changed, 40 insertions(+)
diff --git a/src/tests/netns.sh b/src/tests/netns.sh
index 568612c..4cc6b44 100755
--- a/src/tests/netns.sh
+++ b/src/tests/netns.sh
@@ -222,6 +222,46 @@ n1 wg set wg0 peer "$more_specific_key"
e mode 100644
index 000..73ce762
--- /dev/null
+++ b/src/tools/netns.c
@@ -0,0 +1,62 @@
+/* SPDX-License-Identifier: GPL-2.0
+ *
+ * Copyright (C) 2018 Julian orth . All Rights Reserved.
+ */
+
+#include
+#include
+#include
+#include
+
+#include "netns.h"
+
+struct wgnet
To interact with the UDP socket the caller must either be in the
network namespace of the socket or have CAP_NET_ADMIN in that network
namespace.
---
src/netlink.c| 21 ++---
src/uapi/wireguard.h | 7 +++
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git
`set_port` in netlink.c races with `open` in device.c. This can cause
the following code flow:
* thread 1: set_port: device is not up
* thread 2: device is opened
* thread 2: open: called and calls socket_init with the original port
* thread 1: set_port: sets incoming_port to the new port and
e code using transit-credentials can be applied on top of these
changes if it is considered useful.
Julian Orth (12):
device: protect socket_init with device_update_lock
netlink: check for CAP_NET_ADMIN manually
netlink: allow specifying the device namespace
netlink: restrict access to the
This commit adds two new attributes of which at most one may be
provided:
* WGDEVICE_A_DEV_NETNS_PID: NLA_U32
* WGDEVICE_A_DEV_NETNS_FD: NLA_U32
The Wireguard device is then looked up in this namespace instead of the
namespace of the netlink socket.
---
src/netlink.c| 82
---
src/netlink.c | 15 ---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
index 0bd2b97..a857aff 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -172,9 +172,12 @@ static int get_device_start(struct netlink_callback *cb)
int ret
---
src/device.c | 20 ++--
src/device.h | 4 ++--
src/netlink.c | 4 ++--
src/socket.c | 8
4 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/src/device.c b/src/device.c
index 88c228b..92aefc4 100644
--- a/src/device.c
+++ b/src/device.c
@@ -243,8
This eliminates the need for have_transit_net_ref because
have_transit_net_ref == true if and only if dev_net != transit_net.
---
src/device.c | 27 +--
src/device.h | 4 +++-
2 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/src/device.c b/src/device.c
This commit adds two new attributes of which at most one may be
provided:
* WGDEVICE_A_TRANSIT_NETNS_PID: NLA_U32
* WGDEVICE_A_TRANSIT_NETNS_FD: NLA_U32
The transit namespace is then set to this namespace. The caller must
either be in this namespace or have CAP_NET_ADMIN in it.
---
---
src/tests/netns.sh | 40
1 file changed, 40 insertions(+)
diff --git a/src/tests/netns.sh b/src/tests/netns.sh
index 568612c..4cc6b44 100755
--- a/src/tests/netns.sh
+++ b/src/tests/netns.sh
@@ -222,6 +222,46 @@ n1 wg set wg0 peer "$more_specific_key"
---
src/tools/containers.h | 3 +++
src/tools/genkey.c | 3 ++-
src/tools/pubkey.c | 3 ++-
src/tools/set.c | 3 ++-
src/tools/setconf.c | 3 ++-
src/tools/show.c| 3 ++-
src/tools/showconf.c| 3 ++-
src/tools/subcommands.h | 14 ++-
---
src/device.c | 8 +---
src/netlink.c | 2 +-
src/socket.c | 18 ++
src/socket.h | 6 +++---
4 files changed, 19 insertions(+), 15 deletions(-)
diff --git a/src/device.c b/src/device.c
index 71c0662..2b7286b 100644
--- a/src/device.c
+++ b/src/device.c
@@ -54,7 +54,7
The command is
wg set [...] transit-netns [...]
For example:
wg set wg0 transit-netns 1
wg set wg0 transit-netns /proc/1/ns/net
---
src/tools/config.c | 8
src/tools/containers.h | 5 -
src/tools/ipc.c| 4
src/tools/man/wg.8 | 9 +++--
src/tools/set.c
Hello list,
I'm currently using WireGuard on Android for two purposes:
1. Routing all traffic via a commercial VPN provider to protect myself on
open wireless networks.
2. Connecting to my home network.
Unfortunately WireGuard on Android does not allow me to do both of these
things at the
See [1] for a similar idea.
[1] https://lists.zx2c4.com/pipermail/wireguard/2018-December/003662.html
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
On 3/26/19 8:49 PM, mikma...@lists.m7n.se wrote:>
> On 2019-03-26 15:17, Julian Orth wrote:
>> Hello list,
>>
>> I'm currently using WireGuard on Android for two purposes:
>>
>> 1. Routing all traffic via a commercial VPN provider to protect myself on
Hello list, hello Jason,
I'm using the following nftables rules:
table inet filter {
chain input {
type filter hook input priority filter
ct state { established, related } accept
[...]
iifname "wg0" accept
udp dport 51820 accept
[...]
On 23/02/2020 12.00, Jason A. Donenfeld wrote:
wg(8) is a unix text utility.
ip(8) supports --json since 2017.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
Jan 13, 2021 at 5:26 PM Julian Orth wrote:
>>
>> On 13/01/2021 17.04, Jason A. Donenfeld wrote:
>>
>> > Even if you're unprivileged and want a WireGuard interface for just a
>> > single application that's bound to the lifetime of that application,
>>
On 13/01/2021 17.04, Jason A. Donenfeld wrote:
> Even if you're unprivileged and want a WireGuard interface for just a
> single application that's bound to the lifetime of that application,
> you can still use WireGuard's normal kernel interface inside of a user
> namespace + a network
70 matches
Mail list logo