[Lxc-users] Mitigating LXC Container Evasion?

Casey Schaufler casey at schaufler-ca.com
Thu Aug 4 04:01:08 UTC 2011


On 8/3/2011 4:24 PM, Serge E. Hallyn wrote:
> Quoting Andre Nathan (andre at digirati.com.br):
>> Hi Mike
>>
>> On Wed, 2011-08-03 at 17:52 -0400, Michael H. Warfield wrote:
>>> That's v4 syntax.  Does it not work at all?  Did you try this:
>>>
>>> echo ::/0 @ > /smack/netlabel
>>>
>>> Not having tried this myself at all, I'm just asking.  If it doesn't
>>> work, that needs to be fixed but it's a SMACK bug.
>> Olivier's IPv4 example works fine, but with IPv6 I get an error:
>>
>> # echo ::/0 @ > /smack/netlabel
>> -bash: echo: write error: Invalid argument
> Looking at linux-2.6/security/smack/smackfs.c, nothing but
> 'a.b.c.d label' or 'a.b.c.d/mask label' is allowed.  Now,
> smack_lsm.c does suggest that it wants to work with IPV6,
> but I haven't looked closely enough to tell how it will
> try to match the labels.
>
> Casey, is Smack netlabel supposed to work with IPV6?

IPv6 support is a pending work item for Smack. The whole
IPSEC thing makes it much more difficult than IPv4.

>
> thanks,
> -serge
>





More information about the lxc-users mailing list