Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp1513755lqp; Mon, 15 Apr 2024 08:32:32 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXIyTg+J79e0NQVpYlg9Mfmf49rvZV0ZIgJ2sj7uKeYXpmBSDBlRYA6vcuJtqbxSjp6oqvSZZfeR+qHUlQRWFRU4Yzotmp1I5hmMi7aYw== X-Google-Smtp-Source: AGHT+IHSfvXJndx/u+b+GX9BcYUa3XBioLURRIHXw4ASBpW9lJXWzwjbH10K3abz1pF4zMs94xey X-Received: by 2002:a05:6214:2ccf:b0:69b:541b:9088 with SMTP id lf15-20020a0562142ccf00b0069b541b9088mr23382qvb.8.1713195152776; Mon, 15 Apr 2024 08:32:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713195152; cv=none; d=google.com; s=arc-20160816; b=XpYsjsZFGnwp74hfFHpkTntncwx1AG9DGwRvtzy4Z1BaNLP58c6WNvdOMYQInRdaah 2bqjgep+6TmFa1jcxsVqqPuRHniYv9Z5J4JFzuwHq7CJqwOVrYcS9yHe9Ad7OmpuFQXv ZU4os/EnlKTaLFEQY8x7Ksr07h41HqO1EGV4I8J+c6fRksCltktOc1QcsBbTiOKTm2Dm WGE4jvCnFWlFLB4i6KFtvD1M/OsqTo7+R1AKwQvbDU8mZ6g1XKSqCZUxjSGIuMjMkabZ 3WDQd5Kf583RerhypC77UbJwElfkbCTpsSx1L1wZQ6CaWQT6lK581rpG0SuOiYLOiCoU +4aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:to:from:date:dkim-signature:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=FnYgVeCVeO5csrnfWsHPB357il5O5uraS/NnxN0iB/0=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=glt873FywRcWp0HMMeLW34SOJv5AbYk9huXANtZfbcEAxCpP85s5jSo0ptI0OhLdqZ DLRe1CsYjNN6iHhcwVQoVTcvsX3a5e7XVmtziCI5/8xxMftxim3Mj2wcWS0Z5fNql2Yk a1RAMIPaLjt3arXLMhTAR77MYsxo4lMIAoshP4CT81e6TwqBKL9yNIb+VkVqIRuDXuYP ZN0fSkTgsU95Xid0RPu0US7VSGFm2nKWYW3gbamjrc7ZDdB/PLge2VbbY1Gw0cSfpOTH bapNVVQtY+I5HgI5unmv6y+3bikOyo6u3Ak8P8wdxepkHm9PAQ4eriYWDA63XnWoGk1X g+yA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@debian.org header.s=smtpauto.stravinsky header.b=PLQijsiw; spf=pass (google.com: domain of oss-security-return-30029-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30029-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id b18-20020ad45192000000b0069b56930ca8si7949494qvp.202.2024.04.15.08.32.32 for ; Mon, 15 Apr 2024 08:32:32 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30029-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@debian.org header.s=smtpauto.stravinsky header.b=PLQijsiw; spf=pass (google.com: domain of oss-security-return-30029-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30029-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 25875 invoked by uid 550); 15 Apr 2024 15:32:14 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 25857 invoked from network); 15 Apr 2024 15:32:14 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:To:From:Date:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description; bh=FnYgVeCVeO5csrnfWsHPB357il5O5uraS/NnxN0iB/0=; b=PLQijsiwK9T9FfY2VPtSbkiTZn qwdO/M9vavf56v/93FAkZXRQz6kRM6q0d7MTJm4ulcnauO/TAdH7n3NrUm8UwAaIRwRZqzJXnYoyZ gQ5XM0ON1e79EfbGPgFJVcK/+cgi5HIWdgCfzwCj+/IPqRZ80W6PKxCb1tlUJp4M+4pSn2OxidNIM 0gEdXpHAGXiQonKDNjCzjsc5ccQcM8yt084hGzK0m8/e1OZNN3TgoB3qKjv/MplkmRrTPX4bDBsnp Xi8aZD5jG2wRQCIPqYYTk33CEKpNico7TYA5qbP4GdwCySaHf7K6gnEkObPhUpBs02LBkNPtLHHUK T3NLXx8Q==; Date: Mon, 15 Apr 2024 16:32:02 +0100 From: Simon McVittie To: oss-security@lists.openwall.com Message-ID: References: <20240414190855.GA12716@openwall.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240414190855.GA12716@openwall.com> X-Debian-User: smcv Subject: Re: [oss-security] Linux: Disabling network namespaces On Sun, 14 Apr 2024 at 21:08:55 +0200, Solar Designer forwarded: > Some other container runtimes such as Docker and Podman do make use > of network namespaces by default. As an example of a less traditional container environment, Flatpak optionally uses network namespaces (as implemented by bubblewrap, bwrap(1)) to isolate apps from the network, and disabling network namespaces will break the ability to run apps that have `--unshare=network` in their manifests. I believe it will "fail closed" in this situation (refusing to run the affected app, rather than running the app but giving it unintended network access). A workaround would be to run the affected apps with `flatpak run --share=network ...`, or permanently reconfigure their sandboxing parameters with `flatpak override --share=network ...`, but either of those workarounds would remove the network isolation feature and give the affected apps unrestricted network access. Similarly, libgnome-desktop uses bubblewrap to run sandboxed thumbnailers with no network access, mitigating vulnerabilities that might exist in thumbnailers or the libraries that they use. Again, I believe it will "fail closed", but I haven't checked. Similarly, WebKitGTK uses bubblewrap to sandbox parts of itself with no network access, xdg-desktop-portal uses bubblewrap for sandboxed icon validation, and I'm sure there are others. () So I suspect that the mitigation of disabling network namespaces is likely to be too disruptive to be applicable on desktops, and only useful on servers. smcv