Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2817743lqt; Tue, 23 Apr 2024 02:31:55 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU9eze8zRDStaDuswx52LEqdm+mQC5atc4cd5jPYnco6scd56h3eCnet3OgseUfpkgZKP+R7CXhBw3y4YBHWzOdYssNj/MwdbiO08f7fw== X-Google-Smtp-Source: AGHT+IF9Y1HGqjCmhKVQ8NWB9e8mCrhNACtA3XYzs8wWJCOpaNE01ru0iPuuJBGNimfbHHQ/8+m9 X-Received: by 2002:a17:906:e2d4:b0:a55:a670:4e63 with SMTP id gr20-20020a170906e2d400b00a55a6704e63mr4375296ejb.13.1713864715216; Tue, 23 Apr 2024 02:31:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713864715; cv=none; d=google.com; s=arc-20160816; b=jJDQ9LonDOHq33k946zT/GJhGSaeP4SVMYIE1HfWHhiDdKqubbkI75Nf0I6fJMHyIj Z38aFYFNvXPWgduWEi1TmYPF3pvJTjcWXoj36ROQuSi2icvD1HSM5CNxWp8vFvBQ2wRe Ji9J0kzJwJdpTJBtBBnEG8rAk6+1upztCdBr6UtWXK0ZvWEgJmRAw6+5WXSccAenBW2O va9fTXZz/XwECtz3/NUqvlNCl+KwxOAm9mahJJDztTEODWhICy/F6p/WdtxpJTuL0MJE DsfqL+ORZhQrYEML97VttphFYj3jDn+6IY6ciRIrgy53zdFl2GZW5aroKn0LpztVPiJv ZqQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:to:from:date:feedback-id:dkim-signature:dkim-signature :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=xZ7RthV9FwFPn0yI5cxO3z6+H2xQktn7/aWgE1mbGx4=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=EEsE6bnF2LGo5LzHijL/XbvzCVnS4UmViQCr1LhaambOokH06nRDE6+RlKx0sJNkeG 7xSRfOEIxMPtOR/Tw4dNG6aHh1qKvbU4jC3cWTuce7LRcT40FBnI1nd9QTf0S25LUJCG Gm8y8lKzKGWmgKzv2GA44j3ybMEaUC+/yMm5nmzOdfh094sZLC8NoIdysUdtK6ZK8dTJ hGllYEZqhN+qMZ6vMkegd4S4JqlanPXzjjB3GO3X9ZvmMxMG+MpecXdixxj6ex84meTT xIGDRoDTfs2aJbfXPcp2QkvaMd/86GY/LpeIgtMs1rGJFN1PJSQPyPgA4HBHnfs64BNS p9GA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@invisiblethingslab.com header.s=fm2 header.b=TM9gZoPW; dkim=neutral (body hash did not verify) header.i=@messagingengine.com header.s=fm3 header.b=b82Nv7tS; spf=pass (google.com: domain of oss-security-return-30073-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30073-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id p24-20020a1709060e9800b00a555e181816si415612ejf.914.2024.04.23.02.31.55 for ; Tue, 23 Apr 2024 02:31:55 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30073-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@invisiblethingslab.com header.s=fm2 header.b=TM9gZoPW; dkim=neutral (body hash did not verify) header.i=@messagingengine.com header.s=fm3 header.b=b82Nv7tS; spf=pass (google.com: domain of oss-security-return-30073-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30073-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 25716 invoked by uid 550); 23 Apr 2024 09:31:34 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 31935 invoked from network); 22 Apr 2024 22:10:40 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1713823831; x=1713910231; bh=8/+cEvpIIjmJPtZWVmEzI129a1iaKPRcaiz5mIv6QA4=; b= TM9gZoPWiD+sH43g8/yY4YoQQ/JkovqOX/JdqosfVZceVL4FlvKKysg8eDG7/xAQ TGo0Qv2n2c9GiZg9ClD6hsgYSl84Liw4Je8PEhw+FSYCXQlJe9eFRTF+k2Zk264T odnxJ/WCRURWDC2NCnHxJiDfRYDsSvJy2T7RIjYX0pcsxTwcl3gZRhRWKTSq0QdY fGL5bF1koLHJN+lUIhgmYw+PYeY2bZPlWwLqhftE6wfpEQzAbjnIEQR8ug5jPQV7 HIu/BHqAmC7Bq2DfocA1uEAvetfWg/4DTXITuu9pjoJX+q1Eplh0aMWojrBMaQys ajn1foUrgDqS25yLQ9riHg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1713823831; x=1713910231; bh=8/+cEvpIIjmJPtZWVmEzI129a1ia KPRcaiz5mIv6QA4=; b=b82Nv7tStcVfXZM9+i2dhqyNtfqEpBkxz6xtW1GsnmeE Pc+Ex4r2hcFzvGiZBXNxC0aPKQTrPlq/4Zj74syHBihEMi+bGOvbi9UPKnm236Cm JQN9hNXzhtqfP4KiKgl3HRZDZ4PekF1yYCv/uivPhl7rkUTWDY7ATMYFccm3cggf U7yuwgY1REgD//DQ9xkk76mzVqGAC+X5lHBjoWtEuScgf99bRUPx/2hznKwj8+ui +jj6gpGnS/hAla+ZR6cP3JCCvr0VsXEIUxJkmVYs7VO9K8HIIxJtpyNmQmU/0ISl 2VCtoEdAPnji24YWrFw9WwbDzb8haY4scG7wQ3sZQA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudeltddgtdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesghdtre ertddtvdenucfhrhhomhepffgvmhhiucforghrihgvucfqsggvnhhouhhruceouggvmhhi sehinhhvihhsihgslhgvthhhihhnghhslhgrsgdrtghomheqnecuggftrfgrthhtvghrnh epkeetheejteejgeetlefgtdfffffgveehueetveevheegvefhgefhkeffgfegtddtnecu ffhomhgrihhnpehgihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhgshhl rggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail Date: Mon, 22 Apr 2024 18:10:27 -0400 From: Demi Marie Obenour To: oss-security@lists.openwall.com Message-ID: References: <20240414190855.GA12716@openwall.com> <354b913bc1c154c1e3a2fc34ed8ed6b0d4641f11.camel@canonical.com> <20240419154435.GA7046@openwall.com> <20240420181211.GA12463@openwall.com> <20240421200625.GA16869@openwall.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fRrdZYV340eSs77c" Content-Disposition: inline In-Reply-To: Subject: Re: [oss-security] Linux: Disabling network namespaces --fRrdZYV340eSs77c Content-Type: text/plain; protected-headers=v1; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Date: Mon, 22 Apr 2024 18:10:27 -0400 From: Demi Marie Obenour To: oss-security@lists.openwall.com Subject: Re: [oss-security] Linux: Disabling network namespaces On Mon, Apr 22, 2024 at 02:33:56PM +0000, Jordan Glover wrote: > On Sunday, April 21st, 2024 at 10:06 PM, Solar Designer wrote: >=20 > > In what exact way would nested namespaces bypass the security design of > > Flatpak? Is this about the kernel's attack surface exposed by > > capabilities in a namespace or something else? I guess capabilities are > > also dropped in the nested namespace? >=20 > In flatpak, apps in container communicate with host through portals[1] us= ing dbus. > Portals identify particular app through unique appid (i.e. "org.mozilla.f= irefox" > for firefox) and grant some permissions according to that. appid is read = =66rom > /.flatpak-info that exist inside container and is immutable there. If nam= espaces > were available inside sandbox then malicious app could leverage mount nam= espace > to mount crafted /.flatpak-info containing arbitrary data and lie to the = portal > about appid - it could tell portal that it's org.mozilla.firefox when it = isn't. >=20 > [1] https://github.com/flatpak/xdg-desktop-portal >=20 > Jordan Why is the appid read from /.flatpak-info, instead of having the flatpak process that spawned the container pass the info to the dbus proxy along with the FD used to communicate with the container? --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab --fRrdZYV340eSs77c Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmYm4FUACgkQsoi1X/+c IsFWmxAAm9DGOoq2aEKMRgMDqeFZif4naSZAIdb7qRdWGyt+3yG8prvPxKGUPYzw rQ/x/vBxbSF6DY/An6HqBMkJh2OLiiU/HnQIaLFDhnA1Gc1FThS5/I0kUHc8q1/t 4BzbGEIuFH7GO+mVfqzZzNDO5IUciUEvW8BSuAQqTqWr9aVDPNe1LnuuxWYUutLx uGSVo2nECpQ+3bwNb54IqfeNdUoE4Ohf8XUpyt5NBXK9asGayy4H42T9iGkH00bk sbmUhdkMgtAS4tiKH+ZR/4TkPL0ame0cjKJVSkxMv4vpQxAYAKgI+8m/ee5FCBN1 k4IJDdjSlR4p8Nf6hBhpydVVRQHOkOUaTdmm6IGdUXiWnXEcc6PCEunLPtr3MgxR 1A5lUV1AFEinAO3Rf5YLT2wMGyF9fyjkmHfWv5S0PPm/kZDXtPI6I/HC+sqDovF3 3xbWmczBwEtq2GICGh5IHUyRQ7alQf8ZO2ZspwguhZcKJC54nwUNS9igBcwwN7HA DWazvKjRCpOolLkVmukanaJF99F9m8JQi5n13px7wuQPY3CLEhJZ0UaUd0C5/Kpe n2tQB8yFy8a8JMBnck/VX8p2F8UsDt3RTQB1teo29avuKcX1ItEMf0bJzHLw+P6Q ky8o2u1fKdWi+qYR2kgo0FGQiwFc0Kyqb5dUmiyzm87kObDnerU= =hdgs -----END PGP SIGNATURE----- --fRrdZYV340eSs77c--