oss-sec mailing list archives
Re: Linux: Disabling network namespaces
From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Sun, 14 Apr 2024 18:47:26 -0400
On Sun, Apr 14, 2024 at 09:08:55PM +0200, Solar Designer wrote:
Hi, Many Linux kernel vulnerabilities including the recently exploited Netfilter CVE-2024-1086 require CAP_NET_ADMIN in a namespace, yet a typically recommended mitigation is to disable user namespaces (not just network namespaces). Further, while on Debian/Ubuntu it is possible to disable just unprivileged user namespaces with the Debian-specific sysctl kernel.unprivileged_userns_clone=0, on other distros we'd have to use user.max_user_namespaces=0, which (unnecessarily) prevents starting of containers even by root. Fredrik Nystrom on Rocky Linux Mattermost channel Security pointed out that it is reasonable to disable just network namespaces with user.max_net_namespaces=0 instead, and that the negative effects of doing so and how to cope with them are well-documented for Apptainer, with its documentation also covering Docker, Podman, and systemd: https://apptainer.org/docs/admin/latest/user_namespace.html#disabling-network-namespaces I hope some of us in here find this useful, and maybe we (including distros) will start recommending this milder mitigation when sufficient.
Is this still compatible with Firefox? IMO an ideal solution would be: 1. Provide a privileged helper daemon that sets up containers based on user requirements. 2. Port programs that use containers to use this helper. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Attachment:
signature.asc
Description:
Current thread:
- Linux: Disabling network namespaces Solar Designer (Apr 14)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 15)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 15)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 15)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 16)
- Re: Linux: Disabling network namespaces Mickaël Salaün (May 17)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 15)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 15)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 19)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 19)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 20)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 20)