The static analysis has been tracked in jira and some google sheets. I will copy the information below. Let me better break down where static analysis is sufficient and insufficient.
The limitations of the static analysis The code search for clone and unshare should show up all direct uses of those syscalls. The static analysis done may not show up uses of clone where the clone flags are computed and the CLONE_NEWUSER argument is not directly being added, this case is expected to be rare. When the calls are in libraries those library dependencies were tracked except in cases where dynamic loading is indirectly used, this case too is expected to be rare. There is also the potential for breakage when applications (eg. the shell) executes a utility that makes use of the unshare or clone syscall and the utility is unpriviliged (no cap sys_admin), and unconfined (no profile for the utility). Use of the /usr/bin/unshare utility is the only case of this we are aware of. It is not being provided a profile because doing so provides a trivial by-pass of the protection. It can still be used by applications with a profile (it will inherit the applications profile), and it can be called by a privileged user (eg via sudo). Ubuntu archive Dynamic testing has been done on all applications given a profile, or that are known to call the unshare utility. However complete coverage testing for each application has not been done. LXD in particular is a known issue https://github.com/canonical/lxd/issues/11920 We are in communication with the LXD team, LXD will be releasing an update to the edge channel this week that temporarily disabling the feature dynamically when lxd is run. The feature will be re-enabled on reboot. The plan is to continue working with LXD so that this is not required in the future. List of applications the static analysis of the archive found bazel-bootstrap bubblewrap busybox charliecloud cifs-utils consfigurator criu crun docker.io-app firejail flatpak golang-github-containers-buildah golang-github-containers-storage golang-gvisor-gvisor guix libcamera libpod libvdestack libvirt lxc mmdebstrap network-manager nix ocaml-extunix ocproxy passt qt6-webengine qtwebengine-opensource-src rootlesskit rpm runc rust-rustix rust-virtiofsd sbuild slirp4netns stress-ng systemd thunderbird toybox trinity tup userbindmount util-linux uwsgi vdens the profile bug tracking profiles merged for the above https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 Note as mentioned above /usr/bin/unshare does make use of the syscalls but will not be provided a profile. Non-archive. This is the area where static analysis largely fails. Instead we have tried to work with field and other teams to build up a list of applications that are out of archive that should be checked. We are still working through the list and will add profiles as needed. In addition to the profiles for the archive packages profiles for /opt/google/chrome/chrome /usr/share/code/bin/code /opt/microsoft/msedge/msedge /usr/lib/multiarch/opera/opera /opt/brave/com/brave/brave /opt/vivaldi/vivaldi-bin ** Bug watch added: github.com/canonical/lxd/issues #11920 https://github.com/canonical/lxd/issues/11920 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next&id=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): ------------------------------------------------------------------------------- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok ---------------------------------------------------------------------- Ran 1 test in 0.232s OK ------------------------------------------------------------------------------- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Restarting AppArmor Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: disabling unprivileged userns restrictions since unconfined userns is not supported / enabled Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[320]: kernel.apparmor_restrict_unprivileged_userns = 0 Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Reloading AppArmor profiles Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Finished apparmor.service - Load AppArmor profiles. root@sec-mantic-amd64:~# sysctl kernel.apparmor_restrict_unprivileged_userns kernel.apparmor_restrict_unprivileged_userns = 0 root@sec-mantic-amd64:~# grep "^[^#]" /usr/lib/sysctl.d/10-apparmor.conf kernel.apparmor_restrict_unprivileged_userns = 1 root@sec-mantic-amd64:~# sudo -iu ubuntu unshare -U id uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036128/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
