Add --disable-userns switch #452
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some usecases of bubblewrap want to ensure that the subprocess can't
further re-arrange the filesystem namespace, or do other more complex
namespace modification. This can be limited by --disable-userns,
which makes the kernel unable to create any new user namespaces
for the process hierarchy.
This is done by making a cover of the original root, but running the
process with the origin root as root anyway. This "non-standard" root
means the kernel will not allow creating new user namespaces.
This is more typically done using chroot("/theroot") which would also
mean the root of the namespace ("/") differes from the process current
root ("/theroot)". However, we want to avoid this as in this case symlinks
in /proc/$pid/fd would have a "/theroot" prefix when seen outside the
namespace, which is something that e.g. flatpak doesn't want.
Note, there is a slight cost to this as the covering bind mount
duplicates all the regular mounts in namespace. However, they all
refer to the same mounts so no actual files are duplicated.
|
This was initially discussed in https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q#advisory-comment-68447 |
|
Sorry, I don't have the necessary knowledge of kernel subtleties to review this. |
mcatanzaro
reviewed
Oct 10, 2021
| { | ||
| if (using_userns2) | ||
| { | ||
| /* If we're not in the main userns, the we don't own the |
smcv
reviewed
Oct 12, 2021
Comment on lines
+2996
to
+2999
| /* Mount a bind cover of the root fs. This will trigger | ||
| * current_chrooted() in create_user_ns() in the kernel at: | ||
| * https://elixir.bootlin.com/linux/v5.14.4/source/kernel/user_namespace.c#L92 | ||
| * making it impossible for the process to create new user namespaces. |
There was a problem hiding this comment.
Is this an API guarantee that we can rely on, or an implementation detail that kernel developers could randomly change in a future version (thus making us vulnerable again)?
There was a problem hiding this comment.
I believe this behavior is stable API, because it is fundamental in exposing user namespaces in a secure way.
|
Wouldn't it be more straightforward to use the If the user namespace is a child of the initial user namespace you could of course bump the max_user_namespaces value from 0 back up if are privileged to write to that sysctl. But you can create an intermediary user namespace set the limit to 1 and then create the user namespace for the actual program to run in. Inside this user namespace, it is still possible to set the sysctl to some large number but the kernel enforces that any stricter max value in a parent namespace is enforced. |
rusty-snake
reviewed
Feb 18, 2022
| * https://elixir.bootlin.com/linux/v5.14.4/source/kernel/user_namespace.c#L92 | ||
| * making it impossible for the process to create new user namespaces. | ||
| * | ||
| * What happens is that the path "/" in the namespace noew |
There was a problem hiding this comment.
Suggested change
| * What happens is that the path "/" in the namespace noew | |
| * What happens is that the path "/" in the namespace now |
This looks like a simpler way to achieve the same thing. I might try implementing it if you don't get there first. |
smcv
added a commit
to smcv/bubblewrap
that referenced
this pull request
Mar 22, 2022
Some use-cases of bubblewrap want to ensure that the subprocess can't further re-arrange the filesystem namespace, or do other more complex namespace modification. For example, Flatpak wants to prevent sandboxed processes from altering their /proc/$pid/root/.flatpak-info, so that /.flatpak-info can safely be used as an indicator that a process is part of a Flatpak app. This approach was suggested by lukts30 on containers#452. The sysctl-controlled maximum numbers of namespaces are themselves namespaced, so we can disable nested user namespaces by setting the limit to 1 and then entering a new, nested user namespace. The resulting process loses its privileges in the namespace where the limit was set to 1, so it is unable to move the limit back up. Signed-off-by: Simon McVittie <smcv@collabora.com>
#488 reimplements this feature with that approach. |
smcv
added a commit
to smcv/bubblewrap
that referenced
this pull request
Mar 22, 2022
Some use-cases of bubblewrap want to ensure that the subprocess can't further re-arrange the filesystem namespace, or do other more complex namespace modification. For example, Flatpak wants to prevent sandboxed processes from altering their /proc/$pid/root/.flatpak-info, so that /.flatpak-info can safely be used as an indicator that a process is part of a Flatpak app. This approach was suggested by lukts30 on containers#452. The sysctl-controlled maximum numbers of namespaces are themselves namespaced, so we can disable nested user namespaces by setting the limit to 1 and then entering a new, nested user namespace. The resulting process loses its privileges in the namespace where the limit was set to 1, so it is unable to move the limit back up. Signed-off-by: Simon McVittie <smcv@collabora.com>
smcv
added a commit
to smcv/bubblewrap
that referenced
this pull request
Aug 9, 2022
Some use-cases of bubblewrap want to ensure that the subprocess can't further re-arrange the filesystem namespace, or do other more complex namespace modification. For example, Flatpak wants to prevent sandboxed processes from altering their /proc/$pid/root/.flatpak-info, so that /.flatpak-info can safely be used as an indicator that a process is part of a Flatpak app. This approach was suggested by lukts30 on containers#452. The sysctl-controlled maximum numbers of namespaces are themselves namespaced, so we can disable nested user namespaces by setting the limit to 1 and then entering a new, nested user namespace. The resulting process loses its privileges in the namespace where the limit was set to 1, so it is unable to move the limit back up. Signed-off-by: Simon McVittie <smcv@collabora.com>
alexlarsson
pushed a commit
to smcv/bubblewrap
that referenced
this pull request
Sep 6, 2022
Some use-cases of bubblewrap want to ensure that the subprocess can't further re-arrange the filesystem namespace, or do other more complex namespace modification. For example, Flatpak wants to prevent sandboxed processes from altering their /proc/$pid/root/.flatpak-info, so that /.flatpak-info can safely be used as an indicator that a process is part of a Flatpak app. This approach was suggested by lukts30 on containers#452. The sysctl-controlled maximum numbers of namespaces are themselves namespaced, so we can disable nested user namespaces by setting the limit to 1 and then entering a new, nested user namespace. The resulting process loses its privileges in the namespace where the limit was set to 1, so it is unable to move the limit back up. Signed-off-by: Simon McVittie <smcv@collabora.com>
|
closing this in favour of #488 |
smcv
added a commit
to smcv/bubblewrap
that referenced
this pull request
Dec 16, 2022
Some use-cases of bubblewrap want to ensure that the subprocess can't further re-arrange the filesystem namespace, or do other more complex namespace modification. For example, Flatpak wants to prevent sandboxed processes from altering their /proc/$pid/root/.flatpak-info, so that /.flatpak-info can safely be used as an indicator that a process is part of a Flatpak app. This approach was suggested by lukts30 on containers#452. The sysctl-controlled maximum numbers of namespaces are themselves namespaced, so we can disable nested user namespaces by setting the limit to 1 and then entering a new, nested user namespace. The resulting process loses its privileges in the namespace where the limit was set to 1, so it is unable to move the limit back up. Co-authored-by: Alexander Larsson <alexl@redhat.com> Signed-off-by: Simon McVittie <smcv@collabora.com>
smcv
added a commit
to smcv/bubblewrap
that referenced
this pull request
Dec 16, 2022
Some use-cases of bubblewrap want to ensure that the subprocess can't further re-arrange the filesystem namespace, or do other more complex namespace modification. For example, Flatpak wants to prevent sandboxed processes from altering their /proc/$pid/root/.flatpak-info, so that /.flatpak-info can safely be used as an indicator that a process is part of a Flatpak app. This approach was suggested by lukts30 on containers#452. The sysctl-controlled maximum numbers of namespaces are themselves namespaced, so we can disable nested user namespaces by setting the limit to 1 and then entering a new, nested user namespace. The resulting process loses its privileges in the namespace where the limit was set to 1, so it is unable to move the limit back up. Co-authored-by: Alexander Larsson <alexl@redhat.com> Signed-off-by: Simon McVittie <smcv@collabora.com>
smcv
added a commit
to smcv/bubblewrap
that referenced
this pull request
Dec 16, 2022
Some use-cases of bubblewrap want to ensure that the subprocess can't further re-arrange the filesystem namespace, or do other more complex namespace modification. For example, Flatpak wants to prevent sandboxed processes from altering their /proc/$pid/root/.flatpak-info, so that /.flatpak-info can safely be used as an indicator that a process is part of a Flatpak app. This approach was suggested by lukts30 on containers#452. The sysctl-controlled maximum numbers of namespaces are themselves namespaced, so we can disable nested user namespaces by setting the limit to 1 and then entering a new, nested user namespace. The resulting process loses its privileges in the namespace where the limit was set to 1, so it is unable to move the limit back up. Co-authored-by: Alexander Larsson <alexl@redhat.com> Signed-off-by: Simon McVittie <smcv@collabora.com>
alexlarsson
added a commit
that referenced
this pull request
Jan 3, 2023
Some use-cases of bubblewrap want to ensure that the subprocess can't further re-arrange the filesystem namespace, or do other more complex namespace modification. For example, Flatpak wants to prevent sandboxed processes from altering their /proc/$pid/root/.flatpak-info, so that /.flatpak-info can safely be used as an indicator that a process is part of a Flatpak app. This approach was suggested by lukts30 on #452. The sysctl-controlled maximum numbers of namespaces are themselves namespaced, so we can disable nested user namespaces by setting the limit to 1 and then entering a new, nested user namespace. The resulting process loses its privileges in the namespace where the limit was set to 1, so it is unable to move the limit back up. Co-authored-by: Alexander Larsson <alexl@redhat.com> Signed-off-by: Simon McVittie <smcv@collabora.com>
brandsimon
pushed a commit
to brandsimon/bubblewrap
that referenced
this pull request
Mar 19, 2023
Some use-cases of bubblewrap want to ensure that the subprocess can't further re-arrange the filesystem namespace, or do other more complex namespace modification. For example, Flatpak wants to prevent sandboxed processes from altering their /proc/$pid/root/.flatpak-info, so that /.flatpak-info can safely be used as an indicator that a process is part of a Flatpak app. This approach was suggested by lukts30 on containers#452. The sysctl-controlled maximum numbers of namespaces are themselves namespaced, so we can disable nested user namespaces by setting the limit to 1 and then entering a new, nested user namespace. The resulting process loses its privileges in the namespace where the limit was set to 1, so it is unable to move the limit back up. Co-authored-by: Alexander Larsson <alexl@redhat.com> Signed-off-by: Simon McVittie <smcv@collabora.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some usecases of bubblewrap want to ensure that the subprocess can't
further re-arrange the filesystem namespace, or do other more complex
namespace modification. This can be limited by --disable-userns,
which makes the kernel unable to create any new user namespaces
for the process hierarchy.
This is done by making a cover of the original root, but running the
process with the origin root as root anyway. This "non-standard" root
means the kernel will not allow creating new user namespaces.
This is more typically done using chroot("/theroot") which would also
mean the root of the namespace ("/") differes from the process current
root ("/theroot)". However, we want to avoid this as in this case symlinks
in /proc/$pid/fd would have a "/theroot" prefix when seen outside the
namespace, which is something that e.g. flatpak doesn't want.
Note, there is a slight cost to this as the covering bind mount
duplicates all the regular mounts in namespace. However, they all
refer to the same mounts so no actual files are duplicated.