Bug#903025: systemd-run -p IPAddressDeny=any does not stop network in systemd-nspawn
root
ryutaroh.matsumoto at nagoya-u.jp
Thu Jul 5 10:36:41 BST 2018
Package: systemd-container
Version: 239-4
Severity: important
Tags: security
Dear Maintainer,
systemd-run -t -p "IPAddressDeny=any" ping -c 1 192.168.1.1 normally generates
ping: sendmsg: Operation not permitted
When we run the above command in systemd-nspawn -b -M some-machine,
it generates
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.305 ms
By the same reason, "IPAddressDeny=any" has no effect in the systemd
service configuration files inside a systemd container.
The protection mechanism by "IPAddressDeny=any" does not work
at all inside a systemd container.
I saw this failure of protection as potentially dangerous,
and gave "important" severity and "security" tag.
On the host linux the versions of systemd and systemd-nspawn are
both 239-4. On the guest linux the version of systemd is also 239-4.
Best regards,
Ryutaroh
-- System Information:
Debian Release: 9.4
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.16.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages systemd-container depends on:
ii dbus 1.12.8-3
ii libacl1 2.2.52-3+b1
ii libbz2-1.0 1.0.6-8.1
ii libc6 2.27-3
ii libcurl3-gnutls 7.52.1-5+deb9u6
ii libgcrypt20 1.8.3-1
ii liblzma5 5.2.2-1.2+b1
ii libseccomp2 2.3.1-2.1
ii libselinux1 2.6-3+b3
ii systemd 239-4
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages systemd-container recommends:
pn btrfs-progs <none>
pn libnss-mymachines <none>
systemd-container suggests no packages.
-- no debconf information
More information about the Pkg-systemd-maintainers
mailing list