Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp1357197lqt; Sat, 20 Apr 2024 11:12:53 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUdukofPSrbTJnv9WSk8dxSyTSweYWP+FCOYtuvsluDyoZ7tNDEv0QwgZXOJQItqaVhWy2fNW4jzOEmb8xNUoHhgZXJkdycMwxDMLMFag== X-Google-Smtp-Source: AGHT+IEn6Oj487B7RB9IFGlWvb8z0hG2bcGfV9GKgl80KRyvrfZKhPwj/c+UAMuKrX6hu3nFRN9+ X-Received: by 2002:a50:8d0f:0:b0:56e:230c:d686 with SMTP id s15-20020a508d0f000000b0056e230cd686mr3635177eds.36.1713636773745; Sat, 20 Apr 2024 11:12:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713636773; cv=none; d=google.com; s=arc-20160816; b=oUlWXikZgXhRoIo3hCWTgpam1DB9X9VBmZWu2RFtWvePiiTWNM9vwKpvZonOscEaiK PwMh9BxTGP5Rl3VX55J5WNJFnZhT9eGU2kZJKi4cWbsggAawgzzlSDCx1P0vzQOcC6Pm Qui4Tb7v4I3jrVM/i8VYD4bbdGY8CWiZaBaPVVGULBF6jHCQJFMoFWEmpKsgoE59a1so zmxMQqHfXfS1aZbONbSENIQioSHJTocpsHhJ19duJsygXu+1+hebPNDFBiQ+MFqxf1E5 FVoJwmYfMpDvd8v9PML+poTnvqHbY6P60yVd6eN5Zc+67ULz0LsxVn7EwuK5JRl6wXGs srKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:user-agent:in-reply-to:content-disposition:mime-version :references:message-id:to:from:date:delivered-to:delivered-to :reply-to:list-id:list-subscribe:list-unsubscribe:list-help :list-post:precedence:mailing-list; bh=SSS9FsmaC9sYPa2muTVhmBckiNsu7YPzk2vifUavmpU=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=IFoAYL8vcB0pBljmGcS66R8Uzlv6dCVY6cvKYA+lHnLGIpGX4LfgVwCy5oNpQhqqzO yaUkkk2UcO/eg72uUPvrf8YM9/ZI+fzSUcaLrX/W7PfaYUZWcgoyFmmQ8h+ZOZo1qEoB ARiTGO137o+hsSC0XfnL/1GouczGeaK17/5n+mpBZIIU9GuAbkouYRWnKjR2BUHY9GC4 QtbJ18Mf1009KidwM9Aiq71x138TSgTFVNdOrVA+FelmrtjON1I8DOW+3o0B02Fc7lI9 AYcNdURFDdlZzz24kkKNrJOTTwr1tjwbgmbYlf08zOBwAJju4AHrEiWIBYuFvf4rmm6w 8vvg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30059-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30059-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id u14-20020a05640207ce00b0056c53d92a25si3518636edy.338.2024.04.20.11.12.53 for ; Sat, 20 Apr 2024 11:12:53 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30059-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30059-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30059-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 14307 invoked by uid 550); 20 Apr 2024 18:12:33 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 13955 invoked from network); 20 Apr 2024 18:12:11 -0000 Date: Sat, 20 Apr 2024 20:12:11 +0200 From: Solar Designer To: oss-security@lists.openwall.com Message-ID: <20240420181211.GA12463@openwall.com> References: <20240414190855.GA12716@openwall.com> <354b913bc1c154c1e3a2fc34ed8ed6b0d4641f11.camel@canonical.com> <20240419154435.GA7046@openwall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Subject: Re: [oss-security] Linux: Disabling network namespaces On Fri, Apr 19, 2024 at 06:25:02PM +0100, Simon McVittie wrote: > On Fri, 19 Apr 2024 at 17:44:35 +0200, Solar Designer wrote: > > I guess > > systemd's PrivateNetwork services generally don't configure networking > > (they just give up network access), so would continue to work even with > > capabilities disallowed? > > I can't speak for systemd's PrivateNetwork services, but for the > bubblewrap use-cases that I described elsewhere in the thread (Flatpak, > libgnome-desktop etc.), `bwrap --unshare-net` does bring up the "lo" > interface with address 127.0.0.1 and a route to 127.0.0.0/8 before it > relinquishes its capabilities and execs the sandboxed program. > > Presumably this is because it's common for ordinary user-space applications > to assume that they can "talk to themselves" via loopback, even if there is > no external connectivity. Thank you. So with my idea/proposal, someone using these tools on a desktop system would need to set the max depth to 1. That would leave the kernel's full attack surface exposed on the host system, but not to sandboxed programs because those would run with capabilities already relinquished (per what you write above) and would not be able to regain them by creating a nested namespace. Sounds like a worthwhile feature? Does bubblewrap maybe already relinquish also the ability to create nested namespaces, which it probably could do with seccomp? I guess not as that would break its usage to sandbox programs like Firefox that also create a namespace for their own sandbox. With namespace creation still allowed but capabilities ineffective, I guess such programs maybe could still work if they don't need to configure networking in the sandbox. Alexander