From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b])
	by passt.top (Postfix) with ESMTPS id 55E445A0323
	for <passt-user@passt.top>; Fri, 10 May 2024 05:13:27 +0200 (CEST)
Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-de60a51fe21so1576393276.0
        for <passt-user@passt.top>; Thu, 09 May 2024 20:13:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1715310806; x=1715915606; darn=passt.top;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=rNdTP6/gwL3PehOLACtzbh5L+vgjxsrq7yyMdVzxFy4=;
        b=EaG5pbKnjtdU4bF+aZSEDMVrMsoOE90TRZAEZKkFA/T+U7x3U1JCbXf0YYHDilBkNt
         pD5xszy4qWI58WQg8mSlU8JHMG5nYfRx/Q5g1RQPbrvKcNfg8TEiAMgFt1PzJOsFX2Mt
         WPRdBvxZfpLQBu1M9tddOFOxiEfM0PHEvVkCXk7v6ai+vUlSk3NsalNM7LaRGplfV10g
         TlOq0sv2MciOKNCpEmdlyZXVGD1YsG7kGaE9h6hZUQNyOBYBTtooxhHMvkdTO2iXi/Wi
         d9PYLuLGF/Muy0gPWHpxhYLKDCx5d8yV3xUNPRPFUX9CcIDCSmGxy08CyZAPA4BTGgmP
         HcAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1715310806; x=1715915606;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=rNdTP6/gwL3PehOLACtzbh5L+vgjxsrq7yyMdVzxFy4=;
        b=OJM7nfDYJ4MS8ba7Cc7/c66FjAadMyB+bGoaLzx8WVQ4F1uynAMznLbGFxEtjlrZcN
         V5K61GXqwKkvwxSCrSSDJpm9Dr+pqRVMdpWHFRFSFGRsMIIv8yZmN31vd8vrSTY3PE+Y
         MXAc8IwnU/4JLnNeCIYkLQAvhLCJmTUFdiDFMEE+sXjokoohgjy+q/9h+zrI34F1+rPt
         0T2v1AB9hguQM3XmMkyD+fC1lLey2y6nAL/VIjLwqHsknE2HNgYtzDd4wmj9u2a4mbX8
         YXGG77Wzh1jAR5BDXxbNGLgFaWCQpRPF/CtYQvkY+OD+K+M7IcAl0sf9vFp+rZ4w9exp
         VE7w==
X-Gm-Message-State: AOJu0Yx9//HLJQKPC74tjHqStxAXIBS5YlwnDTZ2fY5HNtoY2ZO4b/pm
	E85AQbUVouKe3E9Z23eoTE453d7w06lqc1yih25sBT571aKhNLmk1TcLtRePJUtbTPqkoiKDWBv
	sQfPfmmMoPhTToIda/zwrCaz88vJoDOIitw==
X-Google-Smtp-Source: AGHT+IGEBLUkYJMsGjOj8WgR9mKcoN6glqgzr4WlKDkVHxHtRzUNM+iWftG2FgZ6VfpgARSBMcIowjPrhQTbTRvhiHE=
X-Received: by 2002:a05:6902:1009:b0:dbd:8f9:a71 with SMTP id
 3f1490d57ef6-dee4f359eafmr1842879276.28.1715310805644; Thu, 09 May 2024
 20:13:25 -0700 (PDT)
MIME-Version: 1.0
From: Kangjing Huang <huangkangjing@gmail.com>
Date: Thu, 9 May 2024 23:13:09 -0400
Message-ID: <CAPbmFQYeiwNw41QwRpHYDfOX_F_=nu9HeYgirN7+CefdQCRYxg@mail.gmail.com>
Subject: Guest namespace can access host ports via secondary interface addresses
To: passt-user@passt.top
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: ZZMUYOEKL6B3TGCOPWQNTHHG7XVWM26Q
X-Message-ID-Hash: ZZMUYOEKL6B3TGCOPWQNTHHG7XVWM26Q
X-MailFrom: huangkangjing@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "For passt users: support, questions and answers" <passt-user.passt.top>
Archived-At: <https://archives.passt.top/passt-user/CAPbmFQYeiwNw41QwRpHYDfOX_F_=nu9HeYgirN7+CefdQCRYxg@mail.gmail.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-user@passt.top/message/ZZMUYOEKL6B3TGCOPWQNTHHG7XVWM26Q/>
List-Archive: <https://archives.passt.top/passt-user/>
List-Archive: <https://passt.top/hyperkitty/list/passt-user@passt.top/>
List-Help: <mailto:passt-user-request@passt.top?subject=help>
List-Owner: <mailto:passt-user-owner@passt.top>
List-Post: <mailto:passt-user@passt.top>
List-Subscribe: <mailto:passt-user-join@passt.top>
List-Unsubscribe: <mailto:passt-user-leave@passt.top>

Hi there,

I was tweaking around pasta and its usage with podman, and I realized
that from pasta guest namespaces it is possible to access host ports
through the address of secondary interfaces on the host.

Say I have two interfaces on host, with eth0 connecting to a gateway
and eth1 connected to another LAN:

> $ # On host
> $ ifconfig eth0
> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255
> ...
> $ ifconfig eth1
> eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>        inet 192.168.110.1  netmask 255.255.255.0  broadcast 192.168.110.255
> ...
> $ ip route
> default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.2 metric 1024
> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 metric 1024
> 192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.2 metric 1024
> 192.168.110.0/24 dev eth1 proto kernel scope link src 192.168.110.1

If there is some service started on host:

> $ python -m http.server
> Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

>From a pasta namespace, it is impossible to access the host ports by
the address of the main interface:

> $ pasta --config-net
> $ # Now in pasta namespace
> $ curl 192.168.1.2:8000
> curl: (7) Failed to connect to 192.168.1.2 port 8000 after 0 ms: Couldn't connect to server

However I found that it is possible to do so by the address of the
secondary interface:

> $ # In same pasta environment as above
> $ curl 192.168.110.1:8000
> <!DOCTYPE HTML>
> <html lang="en">
> ...

Is this an expected behavior? I believe this is a security escape in
the container context, since containerized services can gain access to
unintended resources.


Thanks,
Chaser Huang

--
Kangjing "Chaser" Huang