Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp1417027lqp; Mon, 15 Apr 2024 06:11:03 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU2om9/IRdt1YuxMn3mlohuNcir2UujnOfGSCQ92h+kZwjrgjtXEDemnwHoEPSXGwA5+fe8aWxTja5Ar7jK4e5Jp9wVrsVIDksYpcjdrw== X-Google-Smtp-Source: AGHT+IGC53kIV+gmJd5Gu+HLSEyYelID5vOHl+uI3J2kCHb5jIZ3DMitDXD1mFWBFX4iTytHsdoy X-Received: by 2002:a05:622a:30f:b0:436:b19d:c482 with SMTP id q15-20020a05622a030f00b00436b19dc482mr12109175qtw.10.1713186662779; Mon, 15 Apr 2024 06:11:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713186662; cv=none; d=google.com; s=arc-20160816; b=BrQYny2WvMO1QWANo1Iz0W76dREG6oPluLo57YLBas6S3JHowSyPhiFUSHBRnSkgJw doW3/Pm13vgljNfxCR3EhDf1cGPJ6BhysW3Ke19LDCXsAMmpvfCp+scE9wML54DX9uC5 GedzYQoRSLrPpiiyDQHUQPb/YdKy0dt4ki7dMz4Ps9BEFpUukaCncF8rL9X2HGVzxTgB vzMgsJoazTNkA+o5172km0MqUAYUsJiuv1rzLnuu4Ww8MevdAddFogEwh/qxs3GkWUWl pfJDol9AQc3S/sKb5tPp6q6OlqnFFNY2e0K+6jbPV/o17B45dEp1A5J7pOchM7khNZN3 MucA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:to:from:date:feedback-id:dkim-signature:dkim-signature :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=MjCMUQn5XtuwykjDCSskGqlBndzbevL/vUri2eee1p0=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=nsmDE2NXW4EuACQ/VjN/+lT5t+/Ol8XNqIb2T74zPKeK4B9f4xapyqDPbQmILvKXFr SY8IwGxpXnWjMjWXUheva/1Pj8YeIgi3hcx0kLKbqhUG0b3FSXPqQQT+1lT4szqKOryQ D2SRdmLxSUWzX8NnDlPdpQgBvZwkoRLkWY1hsouxF+c+CrIVy8Lc4zB6gb/gLlU2zn5z 4n9Oj774WsO+pBzRo7TRK+m+XJYfzo9a2UGYfN2o7uJq/pYSLUzjV5YmIz0hwfuXwuMZ 9D0ncqoIsXemaLb7OiYKeNl++9Xg3fehzTF1vLWiIZY2262MUGMCIyHBZIQb0mvmqEIi rBSw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@invisiblethingslab.com header.s=fm2 header.b=R1dpCJpZ; dkim=neutral (body hash did not verify) header.i=@messagingengine.com header.s=fm2 header.b=sf9L0fLS; spf=pass (google.com: domain of oss-security-return-30027-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30027-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id 2-20020ac85742000000b0043153299a15si10239390qtx.695.2024.04.15.06.11.02 for ; Mon, 15 Apr 2024 06:11:02 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30027-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@invisiblethingslab.com header.s=fm2 header.b=R1dpCJpZ; dkim=neutral (body hash did not verify) header.i=@messagingengine.com header.s=fm2 header.b=sf9L0fLS; spf=pass (google.com: domain of oss-security-return-30027-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30027-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 12153 invoked by uid 550); 15 Apr 2024 13:10:38 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 3085 invoked from network); 14 Apr 2024 22:47:56 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1713134864; x=1713221264; bh=nEdZTzFCTCUm1RNKmWKiBuP4uck8xDv5pkLW8nhtojI=; b= R1dpCJpZdllfmoI/aJbglhtA6IiJaLh6cRmgD2srk7QCSwftKBC8VwRD0yrVZVVC ZUmagFAs7ArPhSz+B3OWAgH2adc4dUWK0Hh70dZIshD8p+SQISCDmEHECaI7Y3Re pt6N6BFXbNo82Uh7wOs2ix1+OlDnslHl8CjUS0bIGra+SlxFuGbsaRZ5JDkvVacN SHiGqiAWjVxMMwwKArEWiCY6xD4xyiQ8vZPTcvthjD4T1u4hscxdTXAtDW+nn1eO llgPqoyiFrqvTwOtVBUKQXzQM+9f07wenj2mGHr6pfCoFS47UZGsioB68+CPPrVE ATFnoo3kifaMLgTQiIcJLQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1713134864; x=1713221264; bh=nEdZTzFCTCUm1RNKmWKiBuP4uck8 xDv5pkLW8nhtojI=; b=sf9L0fLSBmK2Pmp9NgwIs/sq8WeOgli1Ws41u0T0EDLs rqgUApr23fc9duF5USPsY1EfwBDiuLfUqPeOnd/0PM+qP6N8w946FkZuD9BFWMn+ nzaOPv8ftxzLFI+QL2WUI93J9mZ5zUpCF6RNvJyvmYMsL/m+ZMQx30rNXJqECsTL dEc+8uFpd0wSHo7RJ/yrFpP8Kgzit1fnp9PQc4xztY20m5hjPF9xSHQu/HAZ/TPi 5SiFAAxqMhRBLym02tXQ1uPNyekk4IX1ElhhSJ53QGgJLqhqIWRnZjTqPjVZ8f7G rpMoBDkxZGovM6nmKOsYRT65IeUubJR3kGE1Ew5STQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudejtddgudefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesghdtro ertddtvdenucfhrhhomhepffgvmhhiucforghrihgvucfqsggvnhhouhhruceouggvmhhi sehinhhvihhsihgslhgvthhhihhnghhslhgrsgdrtghomheqnecuggftrfgrthhtvghrnh ephfeukedvffevtdfghedtueeltdfhteetheehjeejveekiefghfdvgfeljedufeelnecu ffhomhgrihhnpegrphhpthgrihhnvghrrdhorhhgnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepuggvmhhisehinhhvihhsihgslhgvthhhihhn ghhslhgrsgdrtghomh X-ME-Proxy: Feedback-ID: iac594737:Fastmail Date: Sun, 14 Apr 2024 18:47:26 -0400 From: Demi Marie Obenour To: oss-security@lists.openwall.com Message-ID: References: <20240414190855.GA12716@openwall.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="OjNm5EQIZcjK10WQ" Content-Disposition: inline In-Reply-To: <20240414190855.GA12716@openwall.com> Subject: Re: [oss-security] Linux: Disabling network namespaces --OjNm5EQIZcjK10WQ Content-Type: text/plain; protected-headers=v1; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Date: Sun, 14 Apr 2024 18:47:26 -0400 From: Demi Marie Obenour To: oss-security@lists.openwall.com Subject: Re: [oss-security] Linux: Disabling network namespaces On Sun, Apr 14, 2024 at 09:08:55PM +0200, Solar Designer wrote: > Hi, >=20 > Many Linux kernel vulnerabilities including the recently exploited > Netfilter CVE-2024-1086 require CAP_NET_ADMIN in a namespace, yet a > typically recommended mitigation is to disable user namespaces (not just > network namespaces). >=20 > Further, while on Debian/Ubuntu it is possible to disable just > unprivileged user namespaces with the Debian-specific sysctl > kernel.unprivileged_userns_clone=3D0, on other distros we'd have to use > user.max_user_namespaces=3D0, which (unnecessarily) prevents starting of > containers even by root. >=20 > Fredrik Nystrom on Rocky Linux Mattermost channel Security pointed out > that it is reasonable to disable just network namespaces with > user.max_net_namespaces=3D0 instead, and that the negative effects of > doing so and how to cope with them are well-documented for Apptainer, > with its documentation also covering Docker, Podman, and systemd: >=20 > https://apptainer.org/docs/admin/latest/user_namespace.html#disabling-net= work-namespaces >=20 > I hope some of us in here find this useful, and maybe we (including > distros) will start recommending this milder mitigation when sufficient. Is this still compatible with Firefox? IMO an ideal solution would be: 1. Provide a privileged helper daemon that sets up containers based on user requirements. 2. Port programs that use containers to use this helper. --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab --OjNm5EQIZcjK10WQ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmYcXQ0ACgkQsoi1X/+c IsE6ow/6AxYK95tcs1UytdbKhP4OGFCwg7WeZka4rNEpcHuhER/gVtcPmX4zt5NS VJUeHURwF+MXB7SfAdDMt9qtHzUHOiyKwVyv4dkD0qO4SM99NVi7jT0FFchE5YD9 4Ky554KtyDxId1v0EzyZTDSGBjfXLmc0O9A6FFqDnm98ruqtCjmq7gRSkk9rfP05 LTyZkBuYwwV9Ad+w/xpElcNKrw2tZNEtZBqXvfIppZoAoPJceqsAEYULbVF5SEcr DQRutUjCAh20NWat9B4o3zxe3gXu8KTJF7leV7HPJxVGwK9j7x6Rh49Ft41syJj6 Ae+UjiUYtly6hEOpsbBGptTCGhczGy9qw/EQACWiu/D3QN9uKX/ChGvpCaOY+1X6 d86XgkDBJ2mmW3xYBheHrLKDwVKiheTXJ9K7bfW+M3Ftr4Wn45sy4SF7XUi1SZe8 FHDSp0nkAblIUTimEBx59E3h3yysGspT40xJ8waTYCTVytpnrBF/FcX8mY21LEru dfGmFlb2O4D22jgn+hN3VkSC08iBinB+pAp6OruUrRBk7ho24ihjo4O2YUam+diD WuZn0cqNcpaWMqpI8daXvh4F6uE8IyXtcshGJpqr56813j8If+7UEEvAbGvlky/i uec06GT85Tyc+WJv3zWKPSl8SUbDDGi7tYvcXLa6E+xppb0/bww= =Cdse -----END PGP SIGNATURE----- --OjNm5EQIZcjK10WQ--