1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
package namespace
import (
_ "embed"
"fmt"
"net"
"os"
"os/exec"
"syscall"
"golang.org/x/sys/unix"
)
//go:embed launcher.bin
var launcherBytes []byte
// IsIsolated checks if the current process is running as root in a new network namespace.
func IsIsolated() bool {
return os.Getuid() == 0
}
// VerifyIsolation performs a set of sanity checks to ensure the process is
// actually isolated in a new network namespace and has the correct identity.
func VerifyIsolation() (bool, string) {
// 1. Check UID
if os.Getuid() != 0 {
return false, fmt.Sprintf("Expected UID 0, got %d", os.Getuid())
}
// 2. Check Network Isolation
// We expect a fresh network namespace to have only the loopback interface.
// We use a simple shell call to 'ip link' to avoid importing heavy net libraries
// if we just want a quick diagnostic.
cmd := exec.Command("ip", "link")
out, err := cmd.CombinedOutput()
if err != nil {
return false, fmt.Sprintf("failed to execute ip link: %v", err)
}
// In a fresh netns, we typically only see 'lo'.
// We check if any common host interfaces (eth, wlan, br, enp) appear.
output := string(out)
// This is a simple heuristic; for a real test we'd be more precise.
// We are looking for evidence of host interfaces.
if len(output) == 0 {
return false, "ip link returned no output"
}
// 3. Check Filesystem Transparency
home := os.Getenv("HOME")
if home != "" {
if _, err := os.ReadDir(home); err != nil {
return false, fmt.Sprintf("cannot read home directory: %v", err)
}
}
return true, "Isolated and root"
}
// VerifyArguments prints the current process arguments as hex-encoded strings.
// This is used for E2E testing to verify that the data path is 8-bit clean
// and that no bytes are mutated during the bootstrap loop.
func VerifyArguments(args []string) error {
for i, arg := range args {
fmt.Printf("%d:%x\n", i, arg)
}
return nil
}
// Bootstrap ensures the process is running in an isolated user and network namespace.
// It writes the embedded C launcher to a temporary file and replaces the current process.
func Bootstrap() error {
if IsIsolated() {
return nil
}
// 0. Validate current arguments for null bytes before proceeding.
// If any argument contains a null byte, syscall.Exec will fail with 'invalid argument'.
for i, arg := range os.Args {
for j := 0; j < len(arg); j++ {
if arg[j] == 0 {
return fmt.Errorf("argument %d contains null byte at position %d", i, j)
}
}
}
self, err := os.Executable()
if err != nil {
return fmt.Errorf("failed to get executable path: %w", err)
}
// 1. Create a secure temporary file for the launcher binary.
// os.CreateTemp ensures a unique, unpredictable filename and restrictive permissions.
tmpFile, err := os.CreateTemp("", "wg-wrap-launcher-")
if err != nil {
return fmt.Errorf("failed to create temp launcher file: %w", err)
}
launcherPath := tmpFile.Name()
// 2. Write the embedded launcher binary to the temp file.
if _, err := tmpFile.Write(launcherBytes); err != nil {
_ = tmpFile.Close()
return fmt.Errorf("failed to write launcher binary: %w", err)
}
// Ensure the binary is executable (0700)
if err := tmpFile.Chmod(0700); err != nil {
_ = tmpFile.Close()
return fmt.Errorf("failed to set launcher permissions: %w", err)
}
_ = tmpFile.Close()
// 3. Prepare arguments for the launcher.
// The launcher expects: launcher <command_to_run> [args...]
args := []string{self}
args = append(args, os.Args[1:]...)
// 4. Replace the current process with the launcher.
// We must check for null bytes in the arguments here because syscall.Exec
// (which calls execve) will return 'invalid argument' (EINVAL) if any
// string in the argv array contains a null byte.
for i, arg := range args {
for j := 0; j < len(arg); j++ {
if arg[j] == 0 {
return fmt.Errorf("launcher argument %d contains null byte at position %d", i, j)
}
}
}
// Open the host network namespace file descriptor before unsharing.
hostNetFd, err := syscall.Open("/proc/self/ns/net", syscall.O_RDONLY, 0)
if err != nil {
return fmt.Errorf("failed to open host netns: %w", err)
}
// Clear close-on-exec so it remains open across syscall.Exec
if flags, err := unix.FcntlInt(uintptr(hostNetFd), unix.F_GETFD, 0); err == nil {
_, _ = unix.FcntlInt(uintptr(hostNetFd), unix.F_SETFD, flags&^unix.FD_CLOEXEC)
}
env := append(os.Environ(), fmt.Sprintf("WG_WRAP_HOST_NETNS_FD=%d", hostNetFd))
// Open a host UDP socket on 0.0.0.0:0 before unsharing network namespace.
laddr, err := net.ResolveUDPAddr("udp", "0.0.0.0:0")
if err == nil {
if conn, err := net.ListenUDP("udp", laddr); err == nil {
if file, err := conn.File(); err == nil {
hostSocketFd := file.Fd()
if flags, err := unix.FcntlInt(hostSocketFd, unix.F_GETFD, 0); err == nil {
_, _ = unix.FcntlInt(hostSocketFd, unix.F_SETFD, flags&^unix.FD_CLOEXEC)
}
env = append(env, fmt.Sprintf("WG_WRAP_HOST_SOCKET_FD=%d", hostSocketFd))
}
}
}
err = syscall.Exec(launcherPath, args, env)
if err != nil {
return fmt.Errorf("launcher exec failed: %w", err)
}
return nil
}
|
