Investigate lowering privileges of openvpn and/or running client in sandbox

[dma]

• openvpn is a scary, invasive, complex client that most often runs as root and configures host based on external input; it was also vulnerable to shellshock
• We could sandbox fs (could also be used to override resolv.conf to avoid DNS resolution over Tor)
• Run in own netns to minimize modification of host global routing table, expose for use via bridge/veth
• Reduce capabilities to whatever is minimally required, e.g. CAP_NET_ADMIN
• AppArmor
• Run client with seccomp bpf wrapper

[dma]

Openvpn client can be run in a lower privileged mode, with the tun interface set to sandbox netns. then, if the ip address / peer of the tun device is set in the new netns, an existing connection initiated outside of the sandbox will work.

However, oz-init still needs to wake up and change the tun configuration if the address is dynamically assigned when the connection breaks and is re-established, as is often the case.

[dma]

So TODO on this: we need to write an if-up that openvpn calls when the IP address changes. This would run as gid oz-openvpn (which it would inherit from openvpn process) and connect to oz-daemon over ozipc - it could pass gid over socket to auth if we feel necessary - and then inform oz-daemon that the IP address has changed. oz-daemon can then tell oz-init of the sandbox to update the interface in its sandbox, or just do it itself.