Guest internal socket communication gets intercepted by TSI #510
Description
TSI should be only used as a guest host integration tool, while I found when UDS is used as guest internal IPC method, the traffic is handled by the host.
I started with this small prog: https://gist.github.com/karuboniru/abdd3ec7a2707528035770287a37642b which simply create a UDS and ping-pong in 2 processes.
Start the container with only the small program (with modified crun to enable TSI for AF_UNIX)
podman --runtime=/var/home/yan/code/crun/krun run -it --rm -v ./run:/socket:z ghcr.io/karuboniru/socketecho:latest
and strace the container
strace -f -e trace=sendto,connect -p 342060
strace: Process 342060 attached with 23 threads
[pid 342060] sendto(99, "Ping 169", 8, MSG_NOSIGNAL, NULL, 0) = 8
[pid 342060] sendto(100, "Pong 169", 8, MSG_NOSIGNAL, NULL, 0) = 8
[pid 342060] sendto(99, "Ping 170", 8, MSG_NOSIGNAL, NULL, 0) = 8
[pid 342060] sendto(100, "Pong 170", 8, MSG_NOSIGNAL, NULL, 0) = 8
[pid 342060] sendto(99, "Ping 171", 8, MSG_NOSIGNAL, NULL, 0) = 8
[pid 342060] sendto(100, "Pong 171", 8, MSG_NOSIGNAL, NULL, 0) = 8
[pid 342060] sendto(99, "Ping 172", 8, MSG_NOSIGNAL, NULL, 0) = 8
[pid 342060] sendto(100, "Pong 172", 8, MSG_NOSIGNAL, NULL, 0) = 8
The strace result indicates that the traffic, that should be internal to the guest, leaked to the host, which should not happen (causes performance penalty)
This crun is only modified to enable TSI of AF_UNIX.
diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
index 0287c433..43ccb2e2 100644
--- a/src/libcrun/handlers/krun.c
+++ b/src/libcrun/handlers/krun.c
@@ -95,6 +95,39 @@ libkrun_create_context (void *handle, libcrun_error_t *err)
return ctx_id;
}
+# define KRUN_TSI_HIJACK_INET (1 << 0)
+# define KRUN_TSI_HIJACK_UNIX (1 << 1)
+
+static int
+libkrun_add_vsock (uint32_t ctx_id, void *handle, uint32_t tsi_features, libcrun_error_t *err)
+{
+ int32_t (*krun_add_vsock) (uint32_t ctx_id, uint32_t tsi_features);
+ krun_add_vsock = dlsym (handle, "krun_add_vsock");
+ if (krun_add_vsock == NULL)
+ return crun_make_error (err, 0, "could not find symbol in the krun library");
+
+ int ret = krun_add_vsock (ctx_id, tsi_features);
+ if (UNLIKELY (ret < 0))
+ return crun_make_error (err, -ret, "could not add vsock to krun context");
+
+ return 0;
+}
+
+int32_t
+libkrun_disable_implicit_vsock (uint32_t ctx_id, void *handle, libcrun_error_t *err)
+{
+ int32_t (*krun_disable_implicit_vsock) (uint32_t ctx_id);
+ krun_disable_implicit_vsock = dlsym (handle, "krun_disable_implicit_vsock");
+ if (krun_disable_implicit_vsock == NULL)
+ return crun_make_error (err, 0, "could not find symbol in the krun library");
+
+ int ret = krun_disable_implicit_vsock (ctx_id);
+ if (UNLIKELY (ret < 0))
+ return crun_make_error (err, -ret, "could not disable implicit vsock in krun context");
+
+ return 0;
+}
+
static int
libkrun_configure_kernel (uint32_t ctx_id, void *handle, yajl_val *config_tree, libcrun_error_t *err)
{
@@ -436,6 +469,13 @@ libkrun_exec (void *cookie, libcrun_container_t *container, const char *pathname
yajl_tree_free (config_tree);
+ ret = libkrun_disable_implicit_vsock (ctx_id, handle, &err);
+ if (UNLIKELY (ret < 0))
+ error (EXIT_FAILURE, err->status, "%s", err->msg);
+ ret = libkrun_add_vsock (ctx_id, handle, KRUN_TSI_HIJACK_INET | KRUN_TSI_HIJACK_UNIX, &err);
+ if (UNLIKELY (ret < 0))
+ error (EXIT_FAILURE, err->status, "%s", err->msg);
+
ret = krun_start_enter (ctx_id);
return -ret;
}