|
Message-ID: <s7YhmQrnIRbmomFiJi0MJSYAPjcHLyd18qqgj0vxVww8pXjjmpmzh_TKTfQe-aLvqDRRXaVowt__uXBXONKKDA48d1uKDyeEuSiH0yM0uUI=@protonmail.ch> Date: Sat, 20 Apr 2024 21:33:07 +0000 From: Jordan Glover <Golden_Miller83@...tonmail.ch> To: oss-security@...ts.openwall.com Subject: Re: Linux: Disabling network namespaces On Saturday, April 20th, 2024 at 8:12 PM, Solar Designer <solar@...nwall.com> wrote: > Does bubblewrap maybe already relinquish also the ability to create > nested namespaces, which it probably could do with seccomp? I guess not > as that would break its usage to sandbox programs like Firefox that also > create a namespace for their own sandbox. With namespace creation still > allowed but capabilities ineffective, I guess such programs maybe could > still work if they don't need to configure networking in the sandbox. bubblwrap has --disable-userns option which prevents creation of nested namespaces (from manpage): --disable-userns Prevent the process in the sandbox from creating further user namespaces, so that it cannot rearrange the filesystem namespace or do other more complex namespace modification. This is currently implemented by setting the user.max_user_namespaces sysctl to 1, and then entering a nested user namespace which is unable to raise that limit in the outer namespace. This option requires --unshare-user, and doesn't work in the setuid version of bubblewrap. Flatpak uses this (or seccomp filter) to block nested namespaces as this can bypass security its design. For this reason firefox own sandbox doesn't use namespaces in flatpak, see https://bugzilla.mozilla.org/show_bug.cgi?id=1756236 Jordan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.