On 11/16/24 06:42, Sam wrote: > I was wondering about the threats being mitigated by disabling > unprivileged userns like this. After some searching, I was able to find > this rationale: https://discourse.ubuntu.com/t/spec-unprivileged-user- > namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 > > Now my question becomes: On a system where software like podman or > flatpak are installed, wouldn't an unprivileged attacker be able to > trivially leverage that software to work around your apparmor > limitation? Would there be any security benefit in keeping > `kernel.apparmor_restrict_unprivileged_userns` set to 0 with the > presence of such software on the system? > > For context, I'm trying to evaluate my options since we make extensive > use of bwrap in our systems. Currently, all my attempts to fix bwrap > ended with `bwrap: setting up uid map: Permission denied` which was > finally explained when I discovered this bug. >
@samluanch as you noted, container managers like flatpak and podman can indeed be a problem dependent on what their children are allowed to do. Yes if not handled correctly they can be used as a trivial by-pass, which is part of the reason you have run into problems with bwrap. The container manager can be limited, and its children's rights can be mitigated, keeping the manager from being used as a trivial by-pass. There is a bwrap profile hat allows bwrap to function. It however does limit/break some of bwrap. And it has had interactions with flatpak, that lead to it being reverted. There will be another attempt to roll a revised version out. The other part of the answer to your inquiry is, Ubuntu is trying to ship a secure by default configuration. Users are allowed to install, what they want. Change configurations, etc. The user is then opting into a less secure configuration. We will not be setting the restriction to 0 with the installation of such software on the system because it can still block attacks, to by-pass it an attack will have to be tailored to use a software that is not enabled by default, and requires privilege to install. In addition there are configurations of flatpak, and podmap that can work with the restriction, so it very much will depend on your local config. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
