On Mon, Jun 17, 2019 at 04:22:30AM +0800, Shengjing Zhu wrote:
Control: severity -1 normal
On Tue, Jun 11, 2019 at 6:09 PM Shengjing Zhu <z...@debian.org> wrote:
I checked more carefully on https://github.com/moby/moby/pull/28257
and https://github.com/moby/moby/issues/14041
Then I concluded that docker does nothing wrong in this case.
[...]
With the reason I explained last week, I would downgrade this issue.
Sorry for not replying sooner, I had a very busy week.
Your code review and conclusions from it are reasonable. I read them
last week (although I did not have time to reply) and my thoughts were:
is that the code in the current Debian package?
I ask because the reason I filed this in the first place is because I
hit it on my main Debian system. My kvm/libvirt-based VMs lost their
networking due to docker changing the forward iptables policy. I had
not manually modified the ip_forward /proc setting, so either
1) this was not necessary for libvirt/kvm's networking to function,
and so is not a perfect test as to whether changing the forwarding
iptables chain will break something
or
2) libvirt/kvm's networking set the ip_forward proc setting it required,
and the packaged docker does not correctly check the proc value before
making the change, despite the logic in the code linked above (or
perhaps that is not the code corresponding to the docker version that
is presently packaged)
(Or I suppose 3), a race is possible between the /proc check and the iptables
change, but I don't think that's likely what has happened in my case.)
So IMHO the severity drop is not appropriate because it's predicated on a
theoretical reasoning of the situation rather than a practical one, i.e., I
actually hit this on a real machine in real circumstances. But I will attempt
to reproduce it a second time on my real machine before challenging the
severity again.
To respond to some of your specific points:
So as for your VM scenario, why didn't you set ip_forward manually?
Because I did not need to. Either it was not necessary for the specific
networking setup for my libvirt/kvm VMs, or libvirt/kvm set it explicitly
itself. I do not manually need to tweak stuff in /proc. As part of
reproducing this I will check the specific network setup that the libvirt
VMs are using, but it's the package/debian default.
How docker know it's not a vulnerability if it didn't set FORWARD
chain to DROP when it enables ip_forward.
They could add a "-j DROP" rule that was scoped specifically to the docker
subnet, after their other (-j ACCEPT) rules. That's just one way that this
could be done less disruptively.
--
Jonathan Dowland
