oss-sec mailing list archives
Re: Linux: Disabling network namespaces
From: Simon McVittie <smcv () debian org>
Date: Mon, 15 Apr 2024 16:32:02 +0100
On Sun, 14 Apr 2024 at 21:08:55 +0200, Solar Designer forwarded:
Some other container runtimes such as Docker and Podman do make use of network namespaces by default.
As an example of a less traditional container environment, Flatpak optionally uses network namespaces (as implemented by bubblewrap, bwrap(1)) to isolate apps from the network, and disabling network namespaces will break the ability to run apps that have `--unshare=network` in their manifests. I believe it will "fail closed" in this situation (refusing to run the affected app, rather than running the app but giving it unintended network access). A workaround would be to run the affected apps with `flatpak run --share=network ...`, or permanently reconfigure their sandboxing parameters with `flatpak override --share=network ...`, but either of those workarounds would remove the network isolation feature and give the affected apps unrestricted network access. Similarly, libgnome-desktop uses bubblewrap to run sandboxed thumbnailers with no network access, mitigating vulnerabilities that might exist in thumbnailers or the libraries that they use. Again, I believe it will "fail closed", but I haven't checked. Similarly, WebKitGTK uses bubblewrap to sandbox parts of itself with no network access, xdg-desktop-portal uses bubblewrap for sandboxed icon validation, and I'm sure there are others. (<https://codesearch.debian.net/search?q=--unshare-net>) So I suspect that the mitigation of disabling network namespaces is likely to be too disruptive to be applicable on desktops, and only useful on servers. smcv
Current thread:
- Linux: Disabling network namespaces Solar Designer (Apr 14)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 15)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 15)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 15)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 16)
- Re: Linux: Disabling network namespaces Mickaël Salaün (May 17)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 15)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 15)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 19)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 19)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 20)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 20)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 21)
- Re: Linux: Disabling network namespaces Priedhorsky, Reid (Apr 22)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 21)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 22)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 23)