Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp1682516lqt; Sun, 21 Apr 2024 05:31:14 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUXj/TaWfkDscsviFMFG+C0itroKdqB3vbe3f7rV7mNhAAXOkRnD2FR6CWNNoakouWUvzBKx0e8Be3tkIpDoDgjlPILktxuPCrnJ7RaTw== X-Google-Smtp-Source: AGHT+IHfPoP6EakntDH0A+hIJ1ehP4Q1cuov+Rp8dFnGp2vLULyUMm1UzTVKPqr+t8zd1GGV32Kz X-Received: by 2002:a17:906:a11:b0:a53:4006:31a with SMTP id w17-20020a1709060a1100b00a534006031amr4368266ejf.59.1713702674554; Sun, 21 Apr 2024 05:31:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713702674; cv=none; d=google.com; s=arc-20160816; b=aPj2un2reAtuVhy8d8WK+aqPrH3+j0fLRjxvwkZz/4UsrzXDSlFwA/ItTdqDzgDSgx HbBLVbPO3L/3x2rmp6vLC4Uvmg1y9KCAAEtvaLfUUhw52oNEiobCapu6gS6PT3F4pSUa PJAIKsSAICWsO+o+/JjvQIRIhOfch4vp5dgojq6k8bcduaUobNV08Ru3B06c2dx8Y95M pNzPBZAYLZmvVkJB2DeHtQI/RKF9F7aMG3H2fmbViRKoUJGiBORyt6UBqLiUtCEyLzyk HBZf8HiBKLwUGMCEQhHUpVdlH0bkQwXPFu6I/ukm5u2bOOCSKk1zt73l0lXqzGQL9MUR P0dQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:to:from:date:dkim-signature:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=M60aLlnsCl9DpJScufvTgDSBWEUnyh+6BHVr132hxz4=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=qgKqbV49Grby+DlbKCZYgzcVLUKZZx2wVOHair6IOSPN3IbT9Okz4Xo4b7Cut4wjC3 exTdW5/bO05dhl1N2vmY7v6KtYgGt9p7NSb1PIhYtHX4HnqTyIL41p4ZrIX7daT4K/0Q 6vU/8wH5DIqPSP8ewXLbHvzsl3nPn3G13HwALjO0q/94TxxAp+E0MAWZbR/GwOT+GqK5 lJjL3UAGptaAY5ZFyUOtoFB61SlP/pPWqRvDiJdJ0P9Wgz7XSyQwClhlBGlipB3NMQWn +Vn03IvajcX7r+AnkL5QugNMP9Tiho+RVgYZ6Lhm8pprrX/Vd5Y4504vTA6HYi/gog3F Cvlw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@debian.org header.s=smtpauto.stravinsky header.b=sLraIauk; spf=pass (google.com: domain of oss-security-return-30063-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30063-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id v18-20020a170906b01200b00a51e4539384si4542384ejy.773.2024.04.21.05.31.14 for ; Sun, 21 Apr 2024 05:31:14 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30063-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@debian.org header.s=smtpauto.stravinsky header.b=sLraIauk; spf=pass (google.com: domain of oss-security-return-30063-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30063-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 32389 invoked by uid 550); 21 Apr 2024 12:31:00 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 32365 invoked from network); 21 Apr 2024 12:31:00 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:To:From:Date:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description; bh=M60aLlnsCl9DpJScufvTgDSBWEUnyh+6BHVr132hxz4=; b=sLraIaukQ61Us6cxnNJe8+f176 +idkVuZFIsvWjV8Qojv4h7BT2EXDlsndrjlFqGpdS703VU2k3OLNH65eLWXtblTg86DLbfAybdoeV nMV32A+URwQi85TGmN/DhgnNvIa6ET1LqSoeThcSawkt68rYAoV/s7WKyNFwkGL5L0m/sZp78AjpG QiCvOCubbxPclM3ItpkLBrzkdvpsxS5ob2SgWf+jtkqG2lQGJXMYfxMa6R8eHry3zoypQGuqgtcLC X0QvXtRuE6KEW/EVo3YLRSU0U+iOErKDOK2NoNSMbdhRJKqRpKhzdXM9svuOemz8RSscY9fqNJpGu am8J51Kw==; Date: Sun, 21 Apr 2024 13:30:49 +0100 From: Simon McVittie To: oss-security@lists.openwall.com Message-ID: References: <20240414190855.GA12716@openwall.com> <354b913bc1c154c1e3a2fc34ed8ed6b0d4641f11.camel@canonical.com> <20240419154435.GA7046@openwall.com> <20240420181211.GA12463@openwall.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240420181211.GA12463@openwall.com> X-Debian-User: smcv Subject: Re: [oss-security] Linux: Disabling network namespaces On Sat, 20 Apr 2024 at 20:12:11 +0200, Solar Designer wrote: > So with my idea/proposal, someone using these tools on a > desktop system would need to set the max depth to 1. That would leave > the kernel's full attack surface exposed on the host system, but not to > sandboxed programs because those would run with capabilities already > relinquished (per what you write above) and would not be able to regain > them by creating a nested namespace. I believe that's all correct. If someone prototypes this, a way to verify it would be, minimally: $ ip addr ls (should show all your IP addresses) $ bwrap --dev-bind / / -- ip addr ls (same output) $ bwrap --dev-bind / / --unshare-net -- ip addr ls (should show only lo with 127.0.0.1 and ::1) or for a "whole stack" version with Flatpak, install any random Flatpak app such as org.gnome.Recipes and do: $ flatpak run --unshare=network org.gnome.Recipes # or to explore the sandbox environment interactively $ flatpak run --command=bash --unshare=network org.gnome.Recipes For simplicity, the use of bwrap shown above is not a security boundary: it doesn't make any attempt to restrict access to the host filesystem like e.g. Flatpak does. bwrap command-lines that implement a meaningful security boundary, while still providing useful functionality, are much longer than that! > Sounds like a worthwhile feature? I'm not sure. As with most security designs, it depends on your security model. To protect a trusted user from their own sandboxed apps, it should be unnecessary/redundant for Flatpak users, because Flatpak already doesn't let apps inherit CAP_NET_ADMIN or create new user namespaces - but it could be useful for other sandboxed app frameworks, or as a second line of defence against Flatpak not providing the boundary that it aims to. To protect the OS and other users from a malicious or compromised user account using kernel vulnerabilities to elevate privileges, it's insufficient - if that's your security model then there isn't going to be any substitute for either trusting the kernel to make CAP_NET_ADMIN in a non-init user namespace be safe, or trusting a component like bwrap to impose restrictions that its caller is not allowed to bypass. Of course, any time we say things like "trusting a component to impose restrictions that its caller is not allowed to bypass", we get into the same territory as setuid/setgid/setcap, in terms of needing to prevent LD_PRELOAD, LD_LIBRARY_PATH and similar ways to influence the trusted component's behaviour from the outside - which is likely to be impossible if the kernel isn't helping to defang those aspects of the execution environment by flagging the process as AT_SECURE, either in core kernel code or in an LSM like AppArmor. I believe the kernel maintainers' position is that CAP_NET_ADMIN in a non-init userns is meant to be safe for untrusted code to have, so auditing and if necessary hardening the kernel's use of CAP_NET_ADMIN might well be better-received upstream than trying to limit which parts of user-space can obtain it. smcv