Internal networks cannot make external DNS requests

[mheon]

Internal networks cannot connect to the internet thanks to routing, but they can connect to Aardvark, which will happily forward their DNS requests to the internet.

This could theoretically be used to build a data-exfiltration sidechannel.

Fix this by identifying internal networks with a filename suffix (using a character disallowed in actual network names to ensure we don't conflict with another network) and explicitly setting their DNS servers to an empty list (and refusing to set per-container DNS at all). We could actually error on finding DNS servers in an internal network, but silently ignoring prevents possible compatibility issues with Netavark.

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mheon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• ~~OWNERS~~ [mheon]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[packit-as-a-service[bot]]

podman e2e tests failed on RHEL. @containers/packit-build please check.

[packit-as-a-service[bot]]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service[bot]]

podman system tests failed on RHEL. @containers/packit-build please check.

[mheon]

Hm. I think we might need a patched Netavark in the VMs to make this work.

[packit-as-a-service[bot]]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service[bot]]

podman e2e tests failed on RHEL. @containers/packit-build please check.

[packit-as-a-service[bot]]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service[bot]]

podman e2e tests failed on RHEL. @containers/packit-build please check.

[packit-as-a-service[bot]]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service[bot]]

podman e2e tests failed on RHEL. @containers/packit-build please check.

[packit-as-a-service[bot]]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service[bot]]

podman e2e tests failed on RHEL. @containers/packit-build please check.

[packit-as-a-service[bot]]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service[bot]]

podman system tests failed on RHEL. @containers/packit-build please check.

[Luap99]

Hm. I think we might need a patched Netavark in the VMs to make this work.

Well yeah that is the problem with the compatibility issues with nv/av.

Rethinking this I don't think the filename is the best idea given its compatibility issues on updates. What do you think about using a xattr on the file to indicate this? We would still need to update both, but if we just update one it will not cause any weird side effects because the old aardavrk-dns will just ignore it.

[Luap99]

Rethinking this I don't think the filename is the best idea given its compatibility issues on updates. What do you think about using a xattr on the file to indicate this? We would still need to update both, but if we just update one it will not cause any weird side effects because the old aardavrk-dns will just ignore it.

Nevermind, looks like tmpfs and "user." xattrs are rather new, it was just added last year so this would get us in trouble on older kernels.

[Luap99]

@mheon Can you rebase this, I think tests should work now

[packit-as-a-service[bot]]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service[bot]]

Integration tests failed. @containers/packit-build please check.