Bug#903025: systemd-run -p IPAddressDeny=any does not stop network in systemd-nspawn
Michael Biebl
biebl at debian.org
Thu Jul 5 10:41:14 BST 2018
Am 05.07.2018 um 11:36 schrieb root:
> Package: systemd-container
> Version: 239-4
> Severity: important
> Tags: security
>
> Dear Maintainer,
>
> systemd-run -t -p "IPAddressDeny=any" ping -c 1 192.168.1.1 normally generates
> ping: sendmsg: Operation not permitted
>
> When we run the above command in systemd-nspawn -b -M some-machine,
> it generates
> 64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.305 ms
>
> By the same reason, "IPAddressDeny=any" has no effect in the systemd
> service configuration files inside a systemd container.
> The protection mechanism by "IPAddressDeny=any" does not work
> at all inside a systemd container.
> I saw this failure of protection as potentially dangerous,
> and gave "important" severity and "security" tag.
>
> On the host linux the versions of systemd and systemd-nspawn are
> both 239-4. On the guest linux the version of systemd is also 239-4.
Thanks for your bug report.
Can you please raise this issue upstream at
https://github.com/systemd/systemd/issues and report back with the bug
number.
Regards,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180705/2e6bb446/attachment-0002.sig>
More information about the Pkg-systemd-maintainers
mailing list