ABE vs libvirt

Discussions about the Application Boundaries Enforcer (ABE) module
sourcejedi
Junior Member
Posts: 41
Joined: Sat Oct 15, 2011 10:42 am

ABE vs libvirt

Post by sourcejedi » Sat Jun 10, 2017 4:09 pm

[ABE] < LOCAL> Deny on {GET http://jessie/icons/openlogo-75.png <<< http://jessie/ - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
$ getent ahosts jessie
192.168.122.74 STREAM jessie
192.168.122.74 DGRAM
192.168.122.74 RAW
fe80::b4f5:2ff:feb9:b12f STREAM
fe80::b4f5:2ff:feb9:b12f DGRAM
fe80::b4f5:2ff:feb9:b12f RAW
$ ip addr show virbr0
5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 36:e1:d8:88:0e:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
Of course `ping fe80::b4f5:2ff:feb9:b12f` returns `connect: Invalid argument`, this is getent being stupid. Link Local Addresses require you to specify, well, a link.

If I force the libvirt bridge to enable ipv6 with `sysctl -w net.ipv6.conf.virbr0.disable_ipv6=0`, then I can ping `jessie`, and it switches to the ipv6 address. Opening a Private Browsing window and retrying gets it to use IPv6, as seen in `netstat -t`; the ABE error is the same.

What should I try to troubleshoot this?
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

sourcejedi
Junior Member
Posts: 41
Joined: Sat Oct 15, 2011 10:42 am

Re: ABE vs libvirt

Post by sourcejedi » Sat Jun 10, 2017 4:12 pm

Sorry, I'm used to being able to edit...

The bridge is libvirt, but the server is a systemd-nspawn container. That's how the name "jessie" is resolved - the host has nss-mymachines installed.
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

barbaz
Senior Member
Posts: 9038
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE vs libvirt

Post by barbaz » Sat Jun 10, 2017 4:58 pm

I think this can happen if "jessie" resolves to both LOCAL and non-LOCAL address. Try adding this at the very top of NoScript Options > Advanced > ABE > SYSTEM -

Code: Select all

Site ^https?://jessie/.*
Accept from ^https?://jessie/.*
soucejedi wrote:Sorry, I'm used to being able to edit...
off-topic: Are you saying you're registered on this forum but can't log in?
*Always* check the changelogs BEFORE updating that important software!
-

sourcejedi
Junior Member
Posts: 41
Joined: Sat Oct 15, 2011 10:42 am

Re: ABE vs libvirt

Post by sourcejedi » Sat Jun 10, 2017 7:39 pm

What are my LOCAL addresses, if they don't include both the IPv4 network directly connected to virbr0, and IPv6 link-local addresses?
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

sourcejedi
Junior Member
Posts: 41
Joined: Sat Oct 15, 2011 10:42 am

Re: ABE vs libvirt

Post by sourcejedi » Sun Jun 11, 2017 10:48 am

Huh. It doesn't seem like it's IPv6-specific either...

If I remove the ipv6 address from the container, it disappears from `getent hosts`. Again, I can connect to jessie and use `netstat -t` to check that the connection is using the ipv4 addresses and not ipv6. But I still get the ABE error.

I'm not interested in whitelisting "jessie"; if that's the best I can do with ABE then I'm better off disabling it.
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

sourcejedi
Junior Member
Posts: 41
Joined: Sat Oct 15, 2011 10:42 am

Re: ABE vs libvirt

Post by sourcejedi » Sun Jun 11, 2017 10:57 am

Guest wrote:What are my LOCAL addresses, if they don't include both the IPv4 network directly connected to virbr0, and IPv6 link-local addresses?
According to the PDF,
LOCAL special token for local network (private IPv4 and IPv6, see RFC 3330 and RFC 4193)
Note RFC 4193 is only about Unique Local Addresses, it does not include Link Local Addresses.

My last test where the only IP was `192.168.122.74` should have worked by this definition though.
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

sourcejedi
Junior Member
Posts: 41
Joined: Sat Oct 15, 2011 10:42 am

Re: ABE vs libvirt

Post by sourcejedi » Sun Jun 11, 2017 11:51 am

So - looking at barbaz' suggestion, and the default rules, I can add this at the top of SYSTEM:

# nodots often include IPv6 link-local
# which NoScript is apparently forced to treat as non-LOCAL
# to avoid breaking mis-configured websites.
# Examples: LLMNR and nss-mymachines
#
# There are not supposed to be any resolvable nodots in the global DNS
#
# (.local can also include IPv6 link-local,
# however Linux is usually configured not to support this.
# Mac users might want a rule for that though).
#
Site ^https?://[^.]*[:/]
Accept from ^https?://[^.]*[:/]
Deny

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

barbaz
Senior Member
Posts: 9038
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE vs libvirt

Post by barbaz » Sun Jun 11, 2017 12:20 pm

sourcejedi wrote:If I remove the ipv6 address from the container, it disappears from `getent hosts`. Again, I can connect to jessie and use `netstat -t` to check that the connection is using the ipv4 addresses and not ipv6. But I still get the ABE error.
???

With IPv6 disabled, can you please open the Browser Console (Ctrl-Shift-J), run this code, and post the result here? -

Code: Select all

Cu.getGlobalForObject(Cc["@maone.net/noscript-service;1"].getService().wrappedJSObject).DNS.resolve("jessie", 0, function(r) alert(r.entries.toSource()));
*Always* check the changelogs BEFORE updating that important software!
-

sourcejedi
Junior Member
Posts: 41
Joined: Sat Oct 15, 2011 10:42 am

Re: ABE vs libvirt

Post by sourcejedi » Sun Jun 11, 2017 12:36 pm

Per my postings, it started working after I restarted the browser.

I think this makes sense, NoScript could still have the IPv6 LLA in its own cache. Together with the IPv4 "private" address, it means a mix of LOCAL and non-LOCAL addresses, which causes the default denial.

Is there something unexpected in that, which you'd like me to go back and reproduce?
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

barbaz
Senior Member
Posts: 9038
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE vs libvirt

Post by barbaz » Sun Jun 11, 2017 12:39 pm

sourcejedi wrote:Per my postings, it started working after I restarted the browser.
Sorry, I didn't see that. Never mind then.

Thanks for reporting back. :)
*Always* check the changelogs BEFORE updating that important software!
-

sourcejedi
Junior Member
Posts: 41
Joined: Sat Oct 15, 2011 10:42 am

Re: ABE vs libvirt

Post by sourcejedi » Sun Jun 11, 2017 12:43 pm

****, one of my postings got lost somehow.

As I say, restarting the browser worked to clear NoScript's cache, and stop it seeing more than one address for "jessie". During that temporary test.

The comment about IPv6 LLAs not being counted as LOCAL was from here: https://github.com/avian2/noscript/blob ... NS.js#L336

I realized noscript had a cache (duh) after seeing _cache.PutExt here: https://github.com/avian2/noscript/blob ... NS.js#L314
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

Post Reply