Package: systemd-container Version: 239-4 Severity: important Tags: security
Dear Maintainer, systemd-run -t -p "IPAddressDeny=any" ping -c 1 192.168.1.1 normally generates ping: sendmsg: Operation not permitted When we run the above command in systemd-nspawn -b -M some-machine, it generates 64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.305 ms By the same reason, "IPAddressDeny=any" has no effect in the systemd service configuration files inside a systemd container. The protection mechanism by "IPAddressDeny=any" does not work at all inside a systemd container. I saw this failure of protection as potentially dangerous, and gave "important" severity and "security" tag. On the host linux the versions of systemd and systemd-nspawn are both 239-4. On the guest linux the version of systemd is also 239-4. Best regards, Ryutaroh -- System Information: Debian Release: 9.4 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.16.0-0.bpo.2-amd64 (SMP w/8 CPU cores) Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE=ja_JP.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages systemd-container depends on: ii dbus 1.12.8-3 ii libacl1 2.2.52-3+b1 ii libbz2-1.0 1.0.6-8.1 ii libc6 2.27-3 ii libcurl3-gnutls 7.52.1-5+deb9u6 ii libgcrypt20 1.8.3-1 ii liblzma5 5.2.2-1.2+b1 ii libseccomp2 2.3.1-2.1 ii libselinux1 2.6-3+b3 ii systemd 239-4 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages systemd-container recommends: pn btrfs-progs <none> pn libnss-mymachines <none> systemd-container suggests no packages. -- no debconf information
