Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow use of restricted userns #99

Open
valoq opened this issue Oct 26, 2024 · 1 comment
Open

Allow use of restricted userns #99

valoq opened this issue Oct 26, 2024 · 1 comment

Comments

@valoq
Copy link

valoq commented Oct 26, 2024

Last year Ubuntu started to support a new sysctl kernel.apparmor_restrict_unprivileged_userns that allows the use of user namespaces only if the process is confined by an apparmor profile and includes the permission userns, thereby allowing a restricted use of userns. The required patches allegedly also made it into the upstream kernel.

Recently apparmor version 4 was published and this week made it to arch as well, installing a number of apparmor profiles that include the new userns permission for application that require it, thereby allowing the vanilla arch kernel to use restricted userns by setting kernel.apparmor_restrict_unprivileged_userns to 1

With an increasing number of applications displaying warnings when userns are unavailable and consequently reducing or disabling runtime protection features, it may be a good idea to allow restricted userns in the hardened kernel since now the default apparmor package supports it as well.

For this to work the hardened kernel config would need to include CONFIG_USER_NS_UNPRIVILEGED=y while also setting kernel.apparmor_restrict_unprivileged_userns to 1 by default, thereby arriving at the same restrictions we have now since the restricted userns will only be available for processes running in apparmor, which is not loaded as an lsm by default.
While this change wont impact user that do not want userns, it will allow anyone to load the apparmor lsm and use userns for specified applications.

Feature details: https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626

Update: The vanilla kernel has kernel.unprivileged_userns_apparmor_policy set to 1 but there seems to be no documentation about it and whether this is equal to kernel.apparmor_restrict_unprivileged_userns
Currently looking for more information.

@valoq
Copy link
Author

valoq commented Oct 31, 2024

The feature has yet to make it into the upstream kernel and is expected to possibly arrive in linux 6.14
https://lists.ubuntu.com/archives/apparmor/2024-October/013386.html

Once this is available, I would suggest to use the above described settings by default in linux-hardened to allow the use of userns for apparmor confined processes. Users till have to setup apparmor profiles to enable the use of userns for specified applications, thereby the default does not change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant