blob: 84ea79bbe60110ed77e7c7808af1fc95bc3832e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
newnet helper
-------------
This is an optional helper program that simply allows calling
CLONE_NEWNET and executing a child process. The reason this program
exists as an option is because on some Linux kernel configurations
(e.g. with the netfilter kernel module loaded), it's expensive to
create new network namespaces, and it may actually fail.
linux-user-chroot is intended to create namespaces quite dynamically,
but this conflicts somewhat with the goals of the developers who
contributed the functionality for typically more static "containers".
If you don't need this helper as a workaround, don't build it.
Caveat
------
This helper program does NOT restrict further execution of setuid
binaries. Otherwise, you couldn't run linux-user-chroot inside of it,
and that would defeat the point.
However I don't believe the attack surface exposed by making an empty
network namespace is very high - it does mean that e.g. one could make
"sudo" fail to look up the username if it's configured to use LDAP.
But most setuid programs *should* be carefully checking errors
anyways.
Building
--------
To enable building this helper, pass --enable-newnet-helper to
configure.
Running
-------
$ linux-user-chroot-newnet curl http://google.com
curl: (6) Could not resolve host: google.com; Unknown error
$ linux-user-chroot-newnet /bin/bash
$ # you're now in a shell without networking
|
