[pkg-lxc-devel] Bug#857295: Bug#857295: Bug#857295: Info received ([oss-security] LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership)

[Stiepan]

Hi Evgeni,

First of all, thank you for posting the detailed steps you used to reproduce a working config, which is by far the best explanation on how to set up LXC for running Debian 8 on top of Debian 8 I have seen yet.

To answer your questions, yes I've been using Jessie's libvirt package "as is". No idea why it doesn't work. However, by following your explanation, I was able to reproduce a working config, using user-mode networking and lxcbr0, on i386, with only minor adaptations and on ppc64, with one big difference: cgmanager has to be used there (see https://linuxcontainers.org/cgmanager/getting-started/) for LXC to run in unprivileged mode, with or without networking, be it using br0 or lxcbr0. Hence, this, in combination with your explanation, makes it work on both architectures I could test.

About br0 v.s. lxcbr0: the main difference between them is the fact that the latter involves running dnsmasq in the background (and therefore has firewall implications, namely an iptables rule is added) to provide ip masquerading (that is, NAT) to the containers.
Note: containerops.org/2013/11/19/lxc-networking provides in-depth coverage of the subject + also covers linux network namespaces in general.

Regarding how to setup our setups:
I think that the Debian wiki on LXC, https://wiki.debian.org/LXC, should be updated with your simplified method - save for the vagrant part of it - and eventually, my architecture-specific notes as well, as I remember reading in a 2.0.7-1-related post that powerpc compatibility was seen as an issue.

As for your last comment, I agree that bridges, be it br0 or lxcbr0, have to be created by root; I was referring to using them as an unprivileged user.

Last but not least, the security bug I had spotted was most likely equivalent to CVE-2017-5985, as I could not reproduce it now that it works again using a lxcbr0 bridge as well (setting the default route in an unprivileged container using user-mode networking does not affect the host anymore), when running lxc 2.0.7-2 from jessie-backports (which includes the fixes for the aforementioned CVE). I will post an update on oss-security with the security-relevant part of this thread.

Stiepan

Sent with [ProtonMail](https://protonmail.com) Secure Email.

-------- Original Message --------
Subject: Re: [pkg-lxc-devel] Bug#857295: Bug#857295: Info received ([oss-security] LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership)
Local Time: 26 March 2017 12:17 PM
UTC Time: 26 March 2017 10:17
From: evgeni at debian.org
To: Stiepan <stie at itk.swiss>, 857295 at bugs.debian.org

Hi Stiepan,

On Fri, Mar 24, 2017 at 10:51:24AM -0400, Stiepan wrote:

> Using a bridge set up with libvirt (as in http://wiki.libvirt.org/page/Networking#NAT_forwarding_.28aka_.22virtual_networks.22.29) doesn't work.

Is that what the libvirt package does on Debian out-of-the-box?
If so it works just fine for me on my laptop where I put the containers on the vibr0 created by libvirt.

> Neither does using a bridge set up as indicated in https://wiki.debian.org/LXC/SimpleBridge#Using_lxc-net (causes the same errors as with libvirt).

So I just fired a fresh jessie+backports Vagrant box and it worked fine (incl network in the container):

$ vagrant init debian/jessie64
$ vagrant up
$ vagrant ssh

vagrant at jessie:~$ sudo nano /etc/apt/sources.list
deb http://httpredir.debian.org/debian jessie-backports main

vagrant at jessie:~$ sudo apt update

vagrant at jessie:~$ sudo apt install lxc/jessie-backports lxcfs

vagrant at jessie:~$ sudo nano /etc/default/lxc-net
USE_LXC_BRIDGE="true"

vagrant at jessie:~$ systemctl enable lxc-net
vagrant at jessie:~$ systemctl restart lxc-net

vagrant at jessie:~$ ip a s dev lxcbr0
3: lxcbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 10.0.3.1/24 scope global lxcbr0
valid_lft forever preferred_lft forever

vagrant at jessie:~$ sudo sysctl -w kernel.unprivileged_userns_clone=1

vagrant at jessie:~$ exit # needed to trigger lxcfs' PAM module

$vagrant ssh

vagrant at jessie:~$ cat /proc/self/cgroup
8:perf_event:/
7:blkio:/
6:net_cls,net_prio:/
5:freezer:/user/vagrant/0
4:devices:/
3:cpu,cpuacct:/
2:cpuset:/
1:name=systemd:/user/vagrant/0

vagrant at jessie:~$ mkdir ~/.config/lxc/ -p

vagrant at jessie:~$ nano ~/.config/lxc/default.conf
xc.include = /etc/lxc/default.conf
lxc.id_map = u 0 624288 65536
lxc.id_map = g 0 624288 65536

vagrant at jessie:~$ sudo nano /etc/lxc/lxc-usernet
vagrant veth lxcbr0 10

vagrant at jessie:~$ lxc-create -n jessie -t download -- -d debian -r jessie -a amd64

vagrant at jessie:~$ nano .local/share/lxc/jessie/config
lxc.network.type=veth
lxc.network.flags=up
lxc.network.link=lxcbr0

vagrant at jessie:~$ lxc-start -n jessie
vagrant at jessie:~$ lxc-ls -f
NAME STATE AUTOSTART GROUPS IPV4 IPV6
jessie RUNNING 0 - - -

> Using a classical / "plain old" / you-name-it bridge, set up as in http://wiki.libvirt.org/page/Networking#Altering_the_interface_config, does work.

I don't see any technical difference between the plain br0 setup with this link and the ones created by lxc-net or libvirt.
Can you point them out please?

> By the way, the lxc_delete_network:3028... additional error I was seeing pops up only when /etc/lxc/lxc-usernet is still set to use br0, whilst the LXC container is
> set to use virbr0 and hence can be ignored, sorry about that. When properly configured (i.e. when both are configured to use virbr0, or lxcbr0), container startup
> simply fails with a "Failed to create the configured network" error, but still fails, whereas when using classical br0, it works.

Can you please provide the steps how to setup your setup from a plain jessie or stretch image?

> So, if your bridge is set up as suggested in https://wiki.debian.org/BridgeNetworkConnections' Manual bridge setup section, using either brctl or
> /etc/network/interfaces (for a persistent config), we have the same configuration and it works, which is fine. Still, I thought that LXC enabled using lxcbr0 bridges
> in user mode, as lxc-user-nic's man page suggests is possible. Can you confirm whether this is the case with the current version?

lxc-user-nic is to attach a user-namespace-nic to an existing bridge, you can't create a bridge with it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-lxc-devel/attachments/20170328/5ec6fe81/attachment.html>