[patch] UNIX sockets support for lwresd

Ilya Bakulin webmaster at kibab.com
Mon Jan 16 14:19:46 UTC 2012 

Hi list,
I'm working on Capsicum security framework [1] for the FreeBSD Project.
While implementing sandbox mode for some applications like tcpdump, we
have noticed that sandboxed applications are no longer able to resolve DNS
names. This happens because each DNS resolving is done by making a
connection to upstream DNS server.
So we decided to use lwresd and corresponding library (liblwres) so an
application will talk only with lwresd daemon on localhost, and lwresd
will upstream DNS query to another server. This worked better, because now
an application has to maintain only one opened socket to lwresd daemon,
instead of opening new one each time DNS resolving happens.
But this also was not enough. We wanted lwresd to use UNIX domain sockets
instead of TCP/UDP, this is more effective and secure as long as all
communication happens on one host.
Another problem is that original liblwres closes socket after each query
and recreates it when needed. This is impossible when an application is
sandboxed, because sockets cannot be created in this state.

To get rid of these problems, I have modified lwresd, liblwres and also
libisc:
1.1) libisc seems to have basic UNIX stream sockets support, but seems it
was not finished, because many if() statements only checked if the
connection type is TCP or UDP. I have added handling of UNIX *datagram*
sockets to all (I hope so) nessesary places. I needed only datagram
sockets, not stream, but since UNIX sockets support in libisc seems to be
unusable anyway, I decided to change the type of socket that is created if
LWRES_ADDRTYPE_UNIXSOCK is requested.
1.2) A socket is not closed after a connection was made and data is
received. Instead, its descriptor is saved and used later when making
subsequent queries.
1.3) New function lwres_socket_init() that tries to open a connection to
lwresd daemon. This function is called by an application just before it
enters sandboxed mode. So later, when it makes a DNS query, it reuses
existing socket.

There are still some problems that I wanted to fix after receiving initial
feedback about my patch.
2.1) The library is modified to use UNIX socket _by_default_. As I
understand it's better to add a support for reading UNIX socket path from
configuration file. Or at least add such command-line option.
2.2) When using UNIX datagram sockets, one should create a "client" socket
to receive replies from server (lib/lwres/context.c, near line 349). I
wonder where this socket should be closed. What I think is that a context
structure should be modified to include client socket descriptor, so we
will be able to close it if we don't need it any more.
2.3) Maybe add a config file switch to prevent lwresd from closing
communication socket after each use? I.e. make a behaviour described in
1.2 optional.

Thank you in advance for reviewing this work, hope you'll find it useful.
I'm also CC'ing Robert Watson, Jonathan Anderson and Ben Laurie, who work
on Capsicum implementation.

[1] http://www.cl.cam.ac.uk/research/security/capsicum/

-- 
Regards,
Ilya Bakulin
http://kibab.com
xmpp://kibab612@jabber.ru
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind9_unixsock_support.diff
Type: application/octet-stream
Size: 9676 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120116/fa1200f3/attachment.obj>

More information about the bind-users mailing list