[Lxc-users] Mitigating LXC Container Evasion?

Michael H. Warfield mhw at WittsEnd.com
Thu Aug 4 04:39:06 UTC 2011


On Wed, 2011-08-03 at 21:01 -0700, Casey Schaufler wrote: 
> On 8/3/2011 4:24 PM, Serge E. Hallyn wrote:
> > Quoting Andre Nathan (andre at digirati.com.br):
> >> Hi Mike
> >>
> >> On Wed, 2011-08-03 at 17:52 -0400, Michael H. Warfield wrote:
> >>> That's v4 syntax.  Does it not work at all?  Did you try this:
> >>>
> >>> echo ::/0 @ > /smack/netlabel
> >>>
> >>> Not having tried this myself at all, I'm just asking.  If it doesn't
> >>> work, that needs to be fixed but it's a SMACK bug.
> >> Olivier's IPv4 example works fine, but with IPv6 I get an error:
> >>
> >> # echo ::/0 @ > /smack/netlabel
> >> -bash: echo: write error: Invalid argument
> > Looking at linux-2.6/security/smack/smackfs.c, nothing but
> > 'a.b.c.d label' or 'a.b.c.d/mask label' is allowed.  Now,
> > smack_lsm.c does suggest that it wants to work with IPV6,
> > but I haven't looked closely enough to tell how it will
> > try to match the labels.
> >
> > Casey, is Smack netlabel supposed to work with IPV6?

> IPv6 support is a pending work item for Smack. The whole
> IPSEC thing makes it much more difficult than IPv4.

???

Whoa...  Hold da phone a minute!

I'm a contributor and developer to Openswan (I'm the author of some code
for some Cisco ASA compatibility) and other VPN projects.  That does not
compute to me.  How does IPsec make IPv6 more difficult?  Are you saying
you do not support IPsec on IPv4 but support is required on IPv6 or is
there something else in v6 that I'm missing here.  IPv6 does complicate
things when you get into IKE v2 world where you can directly tunnel a v6
network over v4 endpoints which IKE v1 did not provide for.  Is this the
problem?  The cross protocol encapsulations?

Openswan supports 3 stacks, Netkey (the kernel native), KLIPS (the
original FreeS/WAN stack), and Mast.  My personal primary focus has been
on the Netkey stack which is managed through the "ip xfrm" commands and
functions.  To the user space, IPv6 and IPv4 are agnostic.  How does v6
in SMACK space become more difficult for v6?  It shouldn't be...

> > thanks,
> > -serge

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110804/56fa3b71/attachment.pgp>


More information about the lxc-users mailing list