Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp1883893lqt; Sun, 21 Apr 2024 13:44:52 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWov8+fxMMlJ8AMkkZ/zG07Ee2LTACiFck65gzVSyQncyMTsPJldazzf4gSqRCFj4kTkqfWwBsE4o7a+A7EO7buxtD9tRSEcL0SwxzbPg== X-Google-Smtp-Source: AGHT+IF5fy28UgIv9qNb/+g0cl2L97vttNYJfWFMiXa3DjuTBXPtzsxEGMP1BCajDifo6EfaUi3L X-Received: by 2002:a17:906:589:b0:a52:1fb:180d with SMTP id 9-20020a170906058900b00a5201fb180dmr4870990ejn.46.1713732292141; Sun, 21 Apr 2024 13:44:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713732292; cv=none; d=google.com; s=arc-20160816; b=hK/P7HspHWrIMd7IlQh2ccNhR6RIWzgEMDK2XPj43grBc6qetInwfC37sU5BefWCQ0 19jC7soU1vvmgkutk/yhF3k20sn82YipUW/OMAXmpHyKvNW0N5hlT/aoH4UJE6E1+v6b /2rYxF1vuBgMNlsALLKVt4OyEBjjCiZE0GyskbmXumMXF1At/j9Ml23/tGUjLgAqY63n FBsOcWngv+jH0mVsYUqDdR/95hA+x92h+R3YniuBRZuc/Y4sTnyoBhXkU4NDhNdu7NSg ADTO6qyR1rBhDZbfQXBDu1Bceb8GmyRsCwEjZgogMZVsRkuzpEHg1q2YXQvIz95xPJjd +NJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:user-agent:in-reply-to:content-disposition:mime-version :references:message-id:to:from:date:delivered-to:delivered-to :reply-to:list-id:list-subscribe:list-unsubscribe:list-help :list-post:precedence:mailing-list; bh=B0Pr10IoU+8sqzfpLiViETl7zsbBKZPblYBaYQ+1XUw=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=AzKttJYZY5RezN3soffaVyBePn+4MKyiAIOW7utH/40PtWA/Y7weYJNWIaNpHNAk9T KzeXboRKqKX7XJIsWow8wGR9xQj23qfgLHvlmGpBrTcILGz3pkIKox4L1zi9zX/oZtB/ ehuHGx6veb8hmkQI2kXC2HBIkv/24kOtrzW5glmoDgboKONsmKGUaIVOml3H4qoHdpMA Y4dvuWg8zAojr0CkekqjZbQqx4HgWTlfpABWci1Yj3N8nn29Bn5HeSSogQvM0I0OsJx7 tLAnnM1rhKWVRFAf2lm+KvrBL4uz+7DFW/9Fw75zdcwxSEmnw1ZCVTLYupII+A1D4XKU 4Pqg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30065-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30065-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id f4-20020a170906c08400b00a55ab44d01fsi1242189ejz.881.2024.04.21.13.44.52 for ; Sun, 21 Apr 2024 13:44:52 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30065-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30065-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30065-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 9430 invoked by uid 550); 21 Apr 2024 20:44:32 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 25759 invoked from network); 21 Apr 2024 20:06:33 -0000 Date: Sun, 21 Apr 2024 22:06:25 +0200 From: Solar Designer To: oss-security@lists.openwall.com Message-ID: <20240421200625.GA16869@openwall.com> References: <20240414190855.GA12716@openwall.com> <354b913bc1c154c1e3a2fc34ed8ed6b0d4641f11.camel@canonical.com> <20240419154435.GA7046@openwall.com> <20240420181211.GA12463@openwall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Subject: Re: [oss-security] Linux: Disabling network namespaces On Sat, Apr 20, 2024 at 09:33:07PM +0000, Jordan Glover wrote: > bubblwrap has --disable-userns option which prevents creation of nested namespaces (from manpage): > > --disable-userns > Prevent the process in the sandbox from creating further user namespaces, so that it cannot rearrange the filesystem namespace or do other more complex namespace modification. This is currently implemented by setting the user.max_user_namespaces sysctl to 1, and then entering a nested user namespace which is unable to raise that limit in the outer namespace. This option requires --unshare-user, and doesn't work in the setuid version of bubblewrap. > > Flatpak uses this (or seccomp filter) to block nested namespaces as this can bypass security its design. For this reason firefox own sandbox doesn't use namespaces in flatpak, see https://bugzilla.mozilla.org/show_bug.cgi?id=1756236 Thanks, I didn't expect it was this advanced already. In what exact way would nested namespaces bypass the security design of Flatpak? Is this about the kernel's attack surface exposed by capabilities in a namespace or something else? I guess capabilities are also dropped in the nested namespace? After reviewing some kernel code, I have doubts as to how effective the dropping of capabilities in a namespace actually is. security/commoncap.c: cap_capable() includes this: /* * The owner of the user namespace in the parent of the * user namespace has all caps. */ if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid)) return 0; this check is only reached when cap_capable() is called for a target namespace other than one the credentials are from. However, such uses do exist, e.g. via Netlink, which would expose e.g. Netfilter: net/netlink/af_netlink.c: /** * netlink_net_capable - Netlink network namespace message capability test * @skb: socket buffer holding a netlink command from userspace * @cap: The capability to use * * Test to see if the opener of the socket we received the message * from had when the netlink socket was created and the sender of the * message has the capability @cap over the network namespace of * the socket we received the message from. */ bool netlink_net_capable(const struct sk_buff *skb, int cap) { return netlink_ns_capable(skb, sock_net(skb->sk)->user_ns, cap); } So I worry whether even with all namespaces in a sandbox having dropped capabilities, an attack can still be arranged (with a pair of namespaces one nested in the other) where a task effectively "has all caps" for a dangerous operation like configuring Netfilter due to it hitting code paths like this, which bypass capability bit checks. The above finding may be a reason for us to prefer making capabilities in a namespace ineffective vs. dropping capabilities. In context of my idea/proposal for a new sysctl, it could be better for it to work as I had described, overriding security_capable() return, instead of e.g. hooking return of create_user_ns() and dropping new cred's capabilities. I hope the Ubuntu/AppArmor solution is also safe in this respect, as it sounds like it similarly makes capabilities ineffective instead of dropping them. Alexander