[Lxc-users] Mitigating LXC Container Evasion?

Casey Schaufler casey at schaufler-ca.com
Thu Aug 4 05:21:54 UTC 2011


On 8/3/2011 9:39 PM, Michael H. Warfield wrote:
> On Wed, 2011-08-03 at 21:01 -0700, Casey Schaufler wrote:
>> On 8/3/2011 4:24 PM, Serge E. Hallyn wrote:
>>> Quoting Andre Nathan (andre at digirati.com.br):
>>>> Hi Mike
>>>>
>>>> On Wed, 2011-08-03 at 17:52 -0400, Michael H. Warfield wrote:
>>>>> That's v4 syntax. Does it not work at all? Did you try this:
>>>>>
>>>>> echo ::/0 @ > /smack/netlabel
>>>>>
>>>>> Not having tried this myself at all, I'm just asking. If it doesn't
>>>>> work, that needs to be fixed but it's a SMACK bug.
>>>> Olivier's IPv4 example works fine, but with IPv6 I get an error:
>>>>
>>>> # echo ::/0 @ > /smack/netlabel
>>>> -bash: echo: write error: Invalid argument
>>> Looking at linux-2.6/security/smack/smackfs.c, nothing but
>>> 'a.b.c.d label' or 'a.b.c.d/mask label' is allowed. Now,
>>> smack_lsm.c does suggest that it wants to work with IPV6,
>>> but I haven't looked closely enough to tell how it will
>>> try to match the labels.
>>>
>>> Casey, is Smack netlabel supposed to work with IPV6?
>
>> IPv6 support is a pending work item for Smack. The whole
>> IPSEC thing makes it much more difficult than IPv4.
>
> ???
 
'struth, as they say down under.
 
>
> Whoa... Hold da phone a minute!
>
> I'm a contributor and developer to Openswan (I'm the author of some code
> for some Cisco ASA compatibility) and other VPN projects. That does not
> compute to me. How does IPsec make IPv6 more difficult? Are you saying
> you do not support IPsec on IPv4 but support is required on IPv6 or is
> there something else in v6 that I'm missing here. IPv6 does complicate
> things when you get into IKE v2 world where you can directly tunnel a v6
> network over v4 endpoints which IKE v1 did not provide for. Is this the
> problem? The cross protocol encapsulations?
 
Smack does not use IPsec on IPv4. Smack uses CIPSO. CIPSO is
implemented completely within the kernel. It has no user space
component. There is no CIPSO equivalent for IPv6 due to the
expectation that all IPv6 implementations will use IPsec and
IPsec will address all security issues known to man and then
some.
 
>
> Openswan supports 3 stacks, Netkey (the kernel native), KLIPS (the
> original FreeS/WAN stack), and Mast. My personal primary focus has been
> on the Netkey stack which is managed through the "ip xfrm" commands and
> functions. To the user space, IPv6 and IPv4 are agnostic. How does v6
> in SMACK space become more difficult for v6? It shouldn't be...
 
You're right. If Smack was using IPsec for IPv4 it oughtn't be
any more difficult for IPv6. Smack is not using IPsec because it
is orders of magnitude more complex than CIPSO.
 
Thus, IPv6 support for Smack is much harder than IPv4 support
for Smack was. The difference is not between IPv6 and IPv4,
rather it is the difference between IPsec and CIPSO.
 
>
>>> thanks,
>>> -serge
>
> Regards,
> Mike
 





More information about the lxc-users mailing list