Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp1501378lqp; Mon, 15 Apr 2024 08:13:45 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWa+VIuYUQeQ9bErkUFhYbZ27u/qqHErDsHtR1VOIhmuIZWA66AFRqcsaX9puy+1ZVww663ZrSAeYCrRs48nqLRgTLjbu/fcDZo+YVm1A== X-Google-Smtp-Source: AGHT+IGIUrwdtNEp5muslE3UYHgQ0Gr3xzNEiijYGaG0/WO+3ox/NKDvuF0EN1IPIRSUvxHXPo4f X-Received: by 2002:ad4:558a:0:b0:69b:1e64:4139 with SMTP id f10-20020ad4558a000000b0069b1e644139mr22068757qvx.27.1713194025041; Mon, 15 Apr 2024 08:13:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713194025; cv=none; d=google.com; s=arc-20160816; b=I7uyIG8/o5J1zzi/JyUFkjRjSRRYFWl6SAzzzny9hvvZVADTHYWMoRLgMgcftJn/DD Q5ubg+Y7GxUXPeL2DzE4l1lCcCwvGUWLttpdPW+Qdx3oJo9hTwe+Fvbe7zUcJLwuwpEb XHm/Qae2kUkC48b1EOTkw4+I+pGJlLAUDJ9D1GUYTNUaRTLneKT8svZSKbPDtkt/vQ0s ciSLRUenLdgm/S9UbGDR3Hup+z9I7SpMnzo4ZvsGYGpqTzWt1CUz/vIQ1LA4ch1Y5RPB rVytPm/WcS4AZ8mlTKCmiLR3DJLTTuAqCeSyX1Z5xQ7Je40lvKChB07l6MDDNhau9XDo N9YQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:user-agent:in-reply-to:content-disposition:mime-version :references:message-id:to:from:date:delivered-to:delivered-to :reply-to:list-id:list-subscribe:list-unsubscribe:list-help :list-post:precedence:mailing-list; bh=wlsH+YaPlFU2MtTRRKg6CvSE+lgjrkJSxQWCu4F4du0=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=faI7ZMMLYRsXhDn4eWzjeoeWAoZntx1Dnhn2H6ovchjwJhMj0X3dS9xSc19J99fpYZ sXBbCBRkmYZfGwiMTvIcqZTbyh4Y1sJdYx6YHSLGzsMnehFbjgRHymTgT3jKBFGksy3/ u6Z/5drShL2B4tXzpFjhFdHLYX4MnHh+nSMmssLhi1CnsnmRjpn0e+1g4bzRu4UHx1GJ HEnL0F87qkkidUDRcPLMRiNHub9d1TtQgnDDYKLbfhCHfH9osMQ7xGhPNUbBbw+SgAnu P48jQZ3Qu0hqkwrIHVY88L86nasGJXvcqlNkZ9DWmI4SbSuE1VkJsD0xjgNOBAogLUJa E2pQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30028-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30028-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id z18-20020a056214041200b0069927e1eecasi11303740qvx.193.2024.04.15.08.13.44 for ; Mon, 15 Apr 2024 08:13:45 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30028-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30028-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30028-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 27692 invoked by uid 550); 15 Apr 2024 15:13:23 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 26403 invoked from network); 15 Apr 2024 15:13:10 -0000 Date: Mon, 15 Apr 2024 17:13:09 +0200 From: Solar Designer To: oss-security@lists.openwall.com Message-ID: <20240415151309.GA15253@openwall.com> References: <20240414190855.GA12716@openwall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Subject: Re: [oss-security] Linux: Disabling network namespaces On Sun, Apr 14, 2024 at 06:47:26PM -0400, Demi Marie Obenour wrote: > On Sun, Apr 14, 2024 at 09:08:55PM +0200, Solar Designer wrote: > > Fredrik Nystrom on Rocky Linux Mattermost channel Security pointed out > > that it is reasonable to disable just network namespaces with > > user.max_net_namespaces=0 instead, and that the negative effects of > > doing so and how to cope with them are well-documented for Apptainer, > > with its documentation also covering Docker, Podman, and systemd: > > > > https://apptainer.org/docs/admin/latest/user_namespace.html#disabling-network-namespaces > > > > I hope some of us in here find this useful, and maybe we (including > > distros) will start recommending this milder mitigation when sufficient. > > Is this still compatible with Firefox? No. Per my testing, setting user.max_net_namespaces=0 while keeping user.max_user_namespaces at greater than 0 is _not_ compatible with Firefox 124.0.2. However, setting user.max_user_namespaces=0 is compatible with it, regardless of whether user.max_net_namespaces is 0 or not. I guess it only has fallbacks (perhaps weakening its sandbox) for the case when user namespaces can't be created, but not for this mixed case when user can be, but net can't. Breaking Firefox or weakening its sandbox is indeed not great. I primarily meant these settings for headless servers, which wouldn't commonly run Firefox. However, even there I can see how weakening systemd service sandboxing is also not great. Maybe we need to invent a kernel.unprivileged_netns_clone setting similar to Debian's kernel.unprivileged_userns_clone, so that systemd (running as root) would still be able to create network namespaces. And/or make Debian's kernel.unprivileged_userns_clone official upstream and use that. Why did Debian choose to deprecate (but not yet drop?) theirs and go with upstream's user.max_user_namespaces, which doesn't provide exactly the same functionality? Was there an attempt at upstreaming? > IMO an ideal solution would be: > > 1. Provide a privileged helper daemon that sets up containers based on > user requirements. > > 2. Port programs that use containers to use this helper. Not likely to happen universally and not good in terms of introducing a middle project and dependency that could dictate rules to others. Alexander