You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
openvpn is a scary, invasive, complex client that most often runs as root and configures host based on external input; it was also vulnerable to shellshock
We could sandbox fs (could also be used to override resolv.conf to avoid DNS resolution over Tor)
Run in own netns to minimize modification of host global routing table, expose for use via bridge/veth
Reduce capabilities to whatever is minimally required, e.g. CAP_NET_ADMIN
AppArmor
Run client with seccomp bpf wrapper
The text was updated successfully, but these errors were encountered:
Openvpn client can be run in a lower privileged mode, with the tun interface set to sandbox netns. then, if the ip address / peer of the tun device is set in the new netns, an existing connection initiated outside of the sandbox will work.
However, oz-init still needs to wake up and change the tun configuration if the address is dynamically assigned when the connection breaks and is re-established, as is often the case.
So TODO on this: we need to write an if-up that openvpn calls when the IP address changes. This would run as gid oz-openvpn (which it would inherit from openvpn process) and connect to oz-daemon over ozipc - it could pass gid over socket to auth if we feel necessary - and then inform oz-daemon that the IP address has changed. oz-daemon can then tell oz-init of the sandbox to update the interface in its sandbox, or just do it itself.
The text was updated successfully, but these errors were encountered: