Enable unprivileged user namespace restrictions by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Triaged
|
Undecided
|
Unassigned |
Bug Description
As per https:/
When the unprivileged user namespace restrictions are enabled, various applications within and outside the Ubuntu archive fail to function, as they use unprivileged user namespaces as part of their normal operation.
A search of the Ubuntu archive for the 23.10 release was performed looking for all applications that make legitimate use of the CLONE_NEWUSER argument, the details of which can be seen in https:/
For each package identified in that list, an investigation was made to determine if the application actually used this as an unprivileged user, and if so which of the binaries within the package were affected.
The full investigation can be seen in https:/
For each of these binaries, an apparmor profile is required so that the binary can be granted use of unprivileged user namespaces - an example profile for the ch-run binary within the charliecloud package is shown:
$ cat /etc/apparmor.
abi <abi/4.0>,
include <tunables/global>
profile ch-run /usr/bin/ch-run flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/ch-run>
}
However, in a few select cases, it has been decided not to ship an apparmor profile, since this would effectively allow this mitigation to be bypassed. In particular, the unshare and setns binaries within the util-linux package are installed on every Ubuntu system, and allow an unprivileged user the ability to launch an arbitrary application within a new user namespace. Any malicious application then that wished to exploit an unprivileged user namespace to conduct an attack on the kernel would simply need to spawn itself via `unshare -U` or similar to be granted this permission. Therefore, due to the ubiquitous nature of the unshare (and setns) binaries, profiles are not planned to be provided for these by default.
Similarly, the bwrap binary within bubblewrap is also installed by default on Ubuntu Desktop 24.04 and can also be used to launch arbitrary binaries within a new user namespace and so no profile is planned to be provided for this either.
In Bug 2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. They were also added in the AppArmor upstream project.
As well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic:
userns_
unconfined_
if [ -n "$userns_
if [ "$unconfined_
# userns restrictions rely on unconfined userns to be supported
echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled"
sysctl -w kernel.
fi
fi
This allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel.
This bug was fixed in the package apparmor - 4.0.0~alpha2- 0ubuntu7
--------------- alpha2- 0ubuntu7) noble; urgency=medium
apparmor (4.0.0~
[Alex Murray] runtime- disable. patch: add logic to disable user usr/lib/ sysctl. d/10-apparmor. conf: set sysctl value to 1 and apparmor. service: run After systemd- sysctl. service
* Enable user namespace restrictions by default (LP: #2046477)
- d/p/u/userns-
namespace restrictions if kernel lacks support
- debian/
update comment to match
- debian/
[John Johansen] unconfined- profiles. patch apparmor. install d/1password d/Discord d/MongoDB_ Compass d/code d/firefox d/github- desktop d/obsidian d/opera d/polypane d/signal- desktop d/slack d/steam
* Add additional AppArmor profiles to support third-party applications
that use unprivileged user namespace
- add d/p/u/oot-
- add profiles to debian/
- /etc/apparmor.
- /etc/apparmor.
- /etc/apparmor.
- /etc/apparmor.
- /etc/apparmor.
- /etc/apparmor.
- /etc/apparmor.
- /etc/apparmor.
- /etc/apparmor.
- /etc/apparmor.
- /etc/apparmor.
- /etc/apparmor.
[Alex Murray] code.bin. code and multiarch. opera.opera since they are now also in u/oot-unconfine d-profiles. patch unconfined- profiles. patch to remove them apparmor. install apparmor. maintscript to ensure they are removed on
* Drop duplicate profiles for usr.share.
* usr.lib.
d/p/
- modified d/p/u/userns-
- removed from debian/
- added to debian/
upgrade
-- John Johansen <email address hidden> Wed, 13 Dec 2023 20:38:45 -0800