Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240419154435.GA7046@openwall.com>
Date: Fri, 19 Apr 2024 17:44:35 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux: Disabling network namespaces

On Wed, Apr 17, 2024 at 09:52:10AM -0300, Georgia Garcia wrote:
> I just wanted to add that in the Ubuntu Noble Numbat release we are
> using AppArmor to restrict unprivileged user namespaces.

For those who like me are confused by release names, this is 24.04 LTS.

> Applications that don't have an AppArmor profile will use a default
> profile which denies the use of capabilities within the user namespace.

In other words, there's now precedent of allowing namespace creation
while disallowing use of capabilities in the namespace.  I started
thinking of doing the same, but in a lightweight distro-neutral way, by
introducing a new sysctl.

Possible logic could be to set the maximum namespace nesting depth where
capabilities (or maybe specifically CAP_NET_ADMIN) still work.  We could
have this apply to unprivileged user namespaces only or to all.  I guess
systemd's PrivateNetwork services generally don't configure networking
(they just give up network access), so would continue to work even with
capabilities disallowed?

A max depth setting of 1 could allow network configuration in top-level
containers if needed, while reducing the kernel's attack surface exposed
to further sandboxed programs, nested containers, and unintended
namespaces created by exploits running as a user inside a top-level
container.  My thinking is that if someone uses containers with custom
network configuration, they probably mostly care about attacks by
container users (and nested containers, if any) rather than by host
users.  They could also care about attacks by top-level container root,
but there's little we can do here while allowing container root to
configure networking.

Does this sound like it has a chance of getting accepted upstream?

Meanwhile, this looks implementable via security_capable() LSM hook, and
I am thinking of experimenting with it in LKRG:

https://github.com/lkrg-org/lkrg/issues/331

Limiting this new logic only to unprivileged user namespaces feels
tricky or hackish as there doesn't appear to be an existing struct field
to indicate parent's capabilities at namespace creation time.  There is
parent_could_setfcap, which we maybe could abuse.  Any better ideas?

Detailed discussion of implementation wouldn't belong on oss-security.
We'll need to move to kernel-hardening or linux-hardening for that.  But
initial feedback on the idea is fine to have in here, especially from
perspective of required functionality.

> Applications that need to use capabilities will have to be confined by
> a profile. Since we understand that creating an AppArmor profile might
> not be a trivial task for large programs, we introduced the
> "unconfined" flag which makes the profile act as if it were unconfined
> from the perspective of AppArmor, allowing all operations.

Thank you, this is helpful.

> There are more details here:
> https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-13

Looks like the direct link to this section of the release notes has
since changed, now it is:

https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890/1#unprivileged-user-namespace-restrictions-14

I'll quote this section's content below, for archival:

---
Unprivileged user namespace restrictions

In combination with the apparmor package, the Ubuntu kernel now
restricts the use of unprivileged user namespaces. This affects all
programs on the system that are unprivileged and unconfined. A default
AppArmor profile is provided that allows the use of user namespaces for
unprivileged and unconfined applications but will deny the subsequent
use of any capabilities within the user namespace. A common use-case for
unprivileged user namespaces is applications that construct their own
sandboxes or work with styles of container workloads. As such, AppArmor
profiles that allow the use of unprivileged user namespaces are also
provided for common applications and frameworks that come from the
Ubuntu archive, as well as popular third party applications like Google
Chrome, Discord and others. This is a subsequent step towards trying to
mitigate the larger attack surface presented by unprivileged user
namespaces (the first being the introduction of this feature in Ubuntu
23.10 where it was not enabled by default).

Whilst significant effort has been expended to try and identify all
applications that may require such profiles, it is expected that there
may be cases where additional profiles are required.

In this case, there are several options if you run into problems:

- Confine your applications with an AppArmor profile. Because this can
be potentially onerous, a new unconfined profile mode/flag has been
added to AppArmor. This designates the profile to essentially act like
the unconfined mode for AppArmor where an application is not restricted,
and it allows additional permissions to be added, such as the userns,
permission. Such profile for, e.g. Google Chrome, would look like the
following, and it would be located within the /etc/apparmor.d/chrome
file:

abi <abi/4.0>,

include <tunables/global>

/opt/google/chrome/chrome flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/chrome>
}

Alternatively, a complete AppArmor profile for the application can be
created (see the AppArmor 1 documentation).

- Launch your application in a way that doesn't use unprivileged user
namespaces, e.g. google-chrome-stable --no-sandbox. However, since this
disables the use of an internal security feature within the application,
this is not recommended. Instead, use the unconfined profile mode
described above instead.

- Disable this restriction on the entire system for one boot by
executing echo 0 | sudo tee
/proc/sys/kernel/apparmor_restrict_unprivileged_userns. This setting is
lost on reboot. This similar to the previous behaviour, but it does not
mitigate against kernel exploits that abuse the unprivileged user
namespaces feature.

- Disable this restriction using a persistent setting by adding a new
file (/etc/sysctl.d/60-apparmor-namespace.conf) with the following
contents:

kernel.apparmor_restrict_unprivileged_userns=0

Reboot. This is similar to the previous behaviour, but it does not
mitigate against kernel exploits that abuse the unprivileged user
namespaces feature.
---

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.