[pkg-lxc-devel] Bug#857295: Bug#857295: Info received ([oss-security] LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership)

Stiepan stie at itk.swiss
Fri Mar 24 14:51:24 UTC 2017


Hi,

Using a bridge set up with libvirt (as in http://wiki.libvirt.org/page/Networking#NAT_forwarding_.28aka_.22virtual_networks.22.29) doesn't work.
Neither does using a bridge set up as indicated in https://wiki.debian.org/LXC/SimpleBridge#Using_lxc-net (causes the same errors as with libvirt).
Using a classical / "plain old" / you-name-it bridge, set up as in http://wiki.libvirt.org/page/Networking#Altering_the_interface_config, does work.

By the way, the lxc_delete_network:3028... additional error I was seeing pops up only when /etc/lxc/lxc-usernet is still set to use br0, whilst the LXC container is set to use virbr0 and hence can be ignored, sorry about that. When properly configured (i.e. when both are configured to use virbr0, or lxcbr0), container startup simply fails with a "Failed to create the configured network" error, but still fails, whereas when using classical br0, it works.

So, if your bridge is set up as suggested in https://wiki.debian.org/BridgeNetworkConnections' Manual bridge setup section, using either brctl or /etc/network/interfaces (for a persistent config), we have the same configuration and it works, which is fine. Still, I thought that LXC enabled using lxcbr0 bridges in user mode, as lxc-user-nic's man page suggests is possible. Can you confirm whether this is the case with the current version?

Regards,
Stiepan

Sent with [ProtonMail](https://protonmail.com) Secure Email.

-------- Original Message --------
Subject: Re: [pkg-lxc-devel] Bug#857295: Info received ([oss-security] LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership)
Local Time: 24 March 2017 10:17 AM
UTC Time: 24 March 2017 09:17
From: evgeni at debian.org
To: Stiepan <stie at itk.swiss>, 857295 at bugs.debian.org

Hi,

On Fri, Mar 24, 2017 at 05:03:57AM -0400, Stiepan wrote:
> Fyi, now that lxc 2.0.7-2 landed in jessie-backports, I am getting a new error when trying to start an lxc instance (running jessie as well) using a virtual br0 rather than "plain old" br0 (all of this in unprivileged mode), namely: lxc_delete_network:3028 - Failed to remove interface "vethXJW6PL" from host: Operation not permitted. With "plain old" br0, it still works as expected.

Can you alaborate a bit more on your network setup please?
What is a "virtual br0"? How do you you set this up?

My setup uses brctl to setup the bridge and then unpviliged containers
work fine. I guess that is "plain old" for ya?

Regards
Evgeni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-lxc-devel/attachments/20170324/c051fa84/attachment.html>


More information about the Pkg-lxc-devel mailing list