Re: LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership

["Serge E. Hallyn" <serge () hallyn com>]

On Tue, Mar 28, 2017 at 06:45:34AM -0400, Stiepan wrote:
> Thanks to the 2.0.7-2 update by Evgeni Golov and his crystal-clear instructions on how to use lxcbr0 with this 
> version, I could confirm that the issue with the host's routing table being affected by changes in the containers' 
> routing tables is not there anymore when using that version (lxc 2.0.7-2 from jessie-backports), which includes the 
> fixes to CVE-2017-5985 which were brought in LXC 2.0.7 (upstream).
>
> This was thus basically a variation of said CVE, which probably doesn't need to be separately numbered as such, the 
> core problem at stake being the same:
> network namespace ownership was not respected by a setuid-root program enabling the user to configure networks as 
> non-root, which is now solved.
> This leads me to a suggestion to the upstream developers: couldn't the same be achieved using specific 
> network-related capabilities, instead of setuid-root, thereby further reducing the risk of lxc-user-nic being 
> exploited and hence, reducing overall attack surface (in unprivileged mode)?
> I have read in https://wiki.ubuntu.com/UserNamespace that the approach of using "targeted capabilities" was then 
> considered. This is probably the closest to what I am suggesting (specifically for lxc-user-nic - the current 
> approach with 1-1 uid mappings seems fine for network-unrelated things).

The targeted capabilities wouldn't help here, because in fact
lxc-user-nic requires privilege against the parent namespace.

-serge