Network phys permissions owner unprivileged

rag57 · September 19, 2017, 4:20pm

Debian 9: a container runs a firewall

modprobe on host: xt_recent
iptables -A blacklist -m recent --name blacklist --set
…

In the container: ls -la /proc/net/xt_recent
dr-xr-xr-x 2 root root 0 Sep 19 18:02 .
dr-xr-xr-x 6 root root 0 Sep 19 18:02 …
-rw-r–r-- 1 nobody nogroup 0 Sep 19 18:02 blacklist
-rw-r–r-- 1 nobody nogroup 0 Sep 19 18:02 DEFAULT
-rw-r–r-- 1 nobody nogroup 0 Sep 19 18:02 zaehler1
-rw-r–r-- 1 nobody nogroup 0 Sep 19 18:02 zaehler2
-rw-r–r-- 1 nobody nogroup 0 Sep 19 18:02 zaehler3
-rw-r–r-- 1 nobody nogroup 0 Sep 19 18:02 zaehler4
Owner should be root.
lxc.mount.entry = /proc/net/xt_recent proc/net/xt_recent rbind,create=dir,optional
error to much links

A privileged container runs without Problems.

stgraber · September 20, 2017, 4:27am

Looks like things are properly namespaced but permissions are just wrong.
This is a kernel bug in that particular netfilter module. There’s unfortunately nothing that LXC/LXD can do about this.

Your best bet is to file a kernel bug report with your distribution or to the maintainers of this particular kernel module.