Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp1061914lqp;
        Sun, 14 Apr 2024 12:13:09 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXhT/9+VoB+MYWEyUVKbZQ5N1QDAYr4FTBj7mdzBSMQ5UPEtAJ9fWRpvbQZBNRea4LZRjBbETYVZLmxZB5A7cbq/lB2VyCLJ054cdbF9g==
X-Google-Smtp-Source: AGHT+IF/eVTazteO5gxUDEqXEtV57hRkSqqmEV5+PR1mhc3tiRX1QF5GDbyvev9GVdsY97SiUTj0
X-Received: by 2002:a05:620a:4d5:b0:78d:6ef5:f10d with SMTP id 21-20020a05620a04d500b0078d6ef5f10dmr8362287qks.65.1713121989497;
        Sun, 14 Apr 2024 12:13:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713121989; cv=none;
        d=google.com; s=arc-20160816;
        b=YYb/hypQuymq809GAQYMXWaRpuFhXZsC7GlLjXL5KYi+Mf2QFfrCooPoZ4lT0qRgxW
         Kgw3dKs4uhKJB1BFgVrZzGPjSczoI2MIx23IUwVdptvt9U+ipYjwIfdLpq0tq6g5aSRq
         +q9nMaQYT62wNpcW+Pov5EondgE6dHrmOhm52G75Z4mQ+zt8lmgyccs7tmMHd0urv190
         09Inhnh5voAMGShTUUYytAKkj8hCz/BdtU9fmwLdIFqI+8H1uBwlqyaJ+xV8LJiQoCK+
         zA0R/UdlcwEypGW7Tsrq5iPdL/FQkKn441qA8hk0xneIee0PifsIOTFt2IKregIb/1Zp
         TtWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:user-agent:content-disposition:mime-version:message-id:to
         :from:date:delivered-to:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=T83osS7eubIrcfw6r0C1fa1faS5sL2NOgt1deQ8Kt6M=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=VPyZzjPRreD7B7G6XIui5AmhI6EMLJ1USEYYqgHnhSzihrstP2VokHYcJ5oPYSxAyx
         cxbgmOHOJNkCzPXIE2pVgX0ellEb5yHV7KMTomTnrpGD8DYedml30sg63i4t8FsWIPDm
         J1hcQ11KkXk18YtjTy6o8P3cim97oU1MtUSSxOofg+6PZqo9mBoFiRfBy6ew5IWg7Zk0
         YFhzbzgNtFyvvyCYof1cp2zYKVNOuFByWC5dq74P2rTuWser2pFBCUgEMDUsdJCV45w/
         09T39yXLDaryugcQ7pIHoVaLAKxgdQ11bkjS3mUhFTvWpKxiIzkPxGkLMvP7cQfb4tKn
         5GmA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30025-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30025-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30025-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id br15-20020a05620a460f00b0078ed3ae7f4fsi5639731qkb.27.2024.04.14.12.13.08
        for <linux.lists.archive@gmail.com>;
        Sun, 14 Apr 2024 12:13:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30025-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30025-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30025-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 28159 invoked by uid 550); 14 Apr 2024 19:12:47 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 26075 invoked from network); 14 Apr 2024 19:12:01 -0000
Date: Sun, 14 Apr 2024 21:08:55 +0200
From: Solar Designer <solar@openwall.com>
To: oss-security@lists.openwall.com
Message-ID: <20240414190855.GA12716@openwall.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
Subject: [oss-security] Linux: Disabling network namespaces

Hi,

Many Linux kernel vulnerabilities including the recently exploited
Netfilter CVE-2024-1086 require CAP_NET_ADMIN in a namespace, yet a
typically recommended mitigation is to disable user namespaces (not just
network namespaces).

Further, while on Debian/Ubuntu it is possible to disable just
unprivileged user namespaces with the Debian-specific sysctl
kernel.unprivileged_userns_clone=0, on other distros we'd have to use
user.max_user_namespaces=0, which (unnecessarily) prevents starting of
containers even by root.

Fredrik Nystrom on Rocky Linux Mattermost channel Security pointed out
that it is reasonable to disable just network namespaces with
user.max_net_namespaces=0 instead, and that the negative effects of
doing so and how to cope with them are well-documented for Apptainer,
with its documentation also covering Docker, Podman, and systemd:

https://apptainer.org/docs/admin/latest/user_namespace.html#disabling-network-namespaces

I hope some of us in here find this useful, and maybe we (including
distros) will start recommending this milder mitigation when sufficient.

I include this section of the Apptainer documentation below, as taken
from its source at
https://github.com/apptainer/apptainer-admindocs/blob/main/user_namespace.rst

---
******************************
 Disabling network namespaces
******************************

There have been many Linux kernel exploits that have made use of
unprivileged user namespaces as a point of entry, but almost all of them
in the last few years have been in combination with network namespaces.
Therefore even though the Apptainer project recommends enabling
unprivileged user namespaces, it recommends disabling network namespaces
when possible in order to substantially reduce the risk profile
and need for urgent updates when vulnerabilities are announced.

Network namespaces can be disabled on most Linux-based systems
like this:

.. code:: bash

   echo "user.max_net_namespaces = 0" \
        >/etc/sysctl.d/90-max_net_namespaces.conf
   sysctl -p /etc/sysctl.d/90-max_net_namespaces.conf

Apptainer does not by default make use of network namespaces, but it
does have some little-used privileged options beginning with ``--net``
that do.
Those options will not work when network namespaces are disabled.
Unfortunately it is not possible to disable only unprivileged
network namespaces, so this will affect programs that use them
even if run as root.

Some other container runtimes such as Docker and Podman do make use
of network namespaces by default.
Those two runtimes can still work when network namespaces are disabled
by adding the ``--net=host`` option.

Disabling network namespaces also blocks the systemd PrivateNetwork
feature.
To find services that use it, look for ``PrivateNetwork=true``
or ``PrivateNetwork=yes`` in ``/lib/systemd/system/*.service``.
This can be turned off for each service through a
``/etc/systemd/system/<service>.d/*.conf`` file, for example for
``systemd-hostnamed``:

.. code:: bash

   cd /etc/systemd/system
   mkdir -p systemd-hostnamed.service.d
   (echo "[Service]"; echo "PrivateNetwork=no") \
        >systemd-hostnamed.service.d/no-private-network.conf

If the service is enabled (that is, actively used) then restart it
and check its status:

.. code:: bash

   systemctl status systemd-hostnamed
   systemctl daemon-reload
   systemctl restart systemd-hostnamed
   systemctl status systemd-hostnamed
---

Alexander