[Lxc-users] Mitigating LXC Container Evasion?
Serge E. Hallyn
serge.hallyn at canonical.com
Wed Aug 3 23:24:10 UTC 2011
Quoting Andre Nathan (andre at digirati.com.br):
> Hi Mike
>
> On Wed, 2011-08-03 at 17:52 -0400, Michael H. Warfield wrote:
> > That's v4 syntax. Does it not work at all? Did you try this:
> >
> > echo ::/0 @ > /smack/netlabel
> >
> > Not having tried this myself at all, I'm just asking. If it doesn't
> > work, that needs to be fixed but it's a SMACK bug.
>
> Olivier's IPv4 example works fine, but with IPv6 I get an error:
>
> # echo ::/0 @ > /smack/netlabel
> -bash: echo: write error: Invalid argument
Looking at linux-2.6/security/smack/smackfs.c, nothing but
'a.b.c.d label' or 'a.b.c.d/mask label' is allowed. Now,
smack_lsm.c does suggest that it wants to work with IPV6,
but I haven't looked closely enough to tell how it will
try to match the labels.
Casey, is Smack netlabel supposed to work with IPV6?
thanks,
-serge
More information about the lxc-users
mailing list