Am 05.07.2018 um 11:36 schrieb root: > Package: systemd-container > Version: 239-4 > Severity: important > Tags: security > > Dear Maintainer, > > systemd-run -t -p "IPAddressDeny=any" ping -c 1 192.168.1.1 normally generates > ping: sendmsg: Operation not permitted > > When we run the above command in systemd-nspawn -b -M some-machine, > it generates > 64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.305 ms > > By the same reason, "IPAddressDeny=any" has no effect in the systemd > service configuration files inside a systemd container. > The protection mechanism by "IPAddressDeny=any" does not work > at all inside a systemd container. > I saw this failure of protection as potentially dangerous, > and gave "important" severity and "security" tag. > > On the host linux the versions of systemd and systemd-nspawn are > both 239-4. On the guest linux the version of systemd is also 239-4.
Thanks for your bug report. Can you please raise this issue upstream at https://github.com/systemd/systemd/issues and report back with the bug number. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
