canonical-ubuntu-qa team mailing list archive

Thread
Date
[Bug 2035315] Re: Unprivileged user namespace restrictions break various applications

To: canonical-ubuntu-qa@xxxxxxxxxxxxxxxxxxx
From: Ubuntu QA Website <2035315@xxxxxxxxxxxxxxxxxx>
Date: Tue, 09 Jan 2024 23:33:29 -0000
Reply-to: Bug 2035315 <2035315@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/2035315

** Tags added: iso-testing

-- 
You received this bug notification because you are a member of
Canonical's Ubuntu QA, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2035315

Title:
  Unprivileged user namespace restrictions break various applications

Status in apparmor package in Ubuntu:
  Fix Released
Status in lxc package in Ubuntu:
  Fix Released

Bug description:
  When the unprivileged user namespace restrictions are enabled, various
  applications within and outside the Ubuntu archive fail to function,
  as they use unprivileged user namespaces as part of their normal
  operation.

  A search of the Ubuntu archive for the 23.10 release was performed
  looking for all applications that make legitimate use of the
  CLONE_NEWUSER argument, the details of which can be seen in
  https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502

  For each package identified in that list, an investigation was made to
  determine if the application actually used this as an unprivileged
  user, and if so which of the binaries within the package were
  affected.

  The full investigation can be seen in
  https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately
  private) but is summarised to the following list of Ubuntu source
  packages, with the affected binaries as noted. NOTE that due to time
  constraints for some packages it was not possible to finish the
  complete investigation and so for those *all* the binaries from the
  package are listed below.

  For each of these binaries, an apparmor profile is required so that
  the binary can be granted use of unprivileged user namespaces - an
  example profile for the ch-run binary within the charliecloud package
  is shown:

  $ cat /etc/apparmor.d/usr.bin.ch-run 
  abi <abi/4.0>,

  include <tunables/global>

  /usr/bin/ch-run flags=(unconfined) {
    userns,

    # Site-specific additions and overrides. See local/README for details.
    include if exists <local/usr.bin.ch-run>
  }

  
  However, in a few select cases, it has been decided not to ship an apparmor profile, since this would effectively allow this mitigation to be bypassed. In particular, the unshare and setns binaries within the util-linux package are installed on every Ubuntu system, and allow an unprivileged user the ability to launch an arbitrary application within a new user namespace. Any malicious application then that wished to exploit an unprivileged user namespace to conduct an attack on the kernel would simply need to spawn itself via `unshare -U` or similar to be granted this permission. Therefore, due to the ubiquitous nature of the unshare (and setns) binaries, profiles are not planned to be provided for these by default. Similarly, the bwrap binary within bubblewrap is also installed by default on Ubuntu Desktop 23.10 and can also be used to launch arbitrary binaries within a new user namespace and so no profile is planned to be provided for this either.

  Those packages for which either a profile is not required or which a
  profile is not planned are listed below, whilst the list of packages
  that require a profile (and their associated binaries) is listed at
  the end:

  Packages that use user namespaces but for which a profile is not
  required or not planned:

    - bubblewrap
      - /usr/bin/bwrap (NOT PLANNED AS NOTED ABOVE)
    - cifs-utils
      - /usr/sbin/cifs.upcall (NOT REQUIRED AS IS EXECUTED AS root)
    - consfigurator  # NOT REQUIRED, NO BINARIES OR reverse-depends
    - criu
      - /usr/sbin/criu (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
    - docker.io-app
      - /usr/bin/dockerd (NOT REQUIRED SINCE RUNS AS root)
    - firejail
      - /usr/bin/firejail (NOT REQUIRED SINCE is suid root)
    - golang-github-containers-storage
      - /usr/bin/containers-storage (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
    - golang-gvisor-gvisor
      - /usr/bin/runsc (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
    - guix
      - /usr/bin/guix-daemon (NOT REQURIED SINCE RUNS AS root)
    - libvdestack # NOT REQUIRED, NO BINARIES OR reverse-depends
    - libvirt # NOT REQUIRED SINCE USES lxc WHICH WILL HAVE A PROFILE
    - network-manager # NOT REQUIRED SINCE CODE IS UNUSED
    - nix # APPEARS UNNEEDED IN DEFAULT CONFIGURATION
    - ocaml-extunix # NO BINARIES OR reverse-depends
    - passt
      - /usr/bin/passt # IS EXPECTED TO BE EXECUTED AS root
    - rust-rustix # NO BINARIES AND CODE IS UNUSED IN THE ARCHIVE
    - util-linux
      - 
  Packages that use unprivileged user namespaces which require a profile (or already have one as part of the previous apparmor update in 4.0.0~alpha2-0ubuntu1 via LP: #2030353):

    - bazel-bootstrap
      - /usr/libexec/@{multiarch}/bazel/linux-sandbox
    - busybox
      - /usr/bin/busybox
    - charliecloud
      - /usr/bin/ch-checkns (included in 4.0.0~alpha2-0ubuntu1 via LP: #2030353)
      - /usr/bin/ch-run  (included in 4.0.0~alpha2-0ubuntu1 via LP: #2030353)
    - crun
      - /usr/bin/crun (included in 4.0.0~alpha2-0ubuntu1 via LP: #2030353)
    - flatpak
      - /usr/bin/flatpak
    - golang-github-containers-buildah
      - /usr/bin/buildah
    - libcamera
      - /usr/bin/cam
      - /usr/bin/ipa_verify
      - /usr/bin/lc-compliance
      - /usr/bin/libcamerify
      - /usr/bin/qcam
    - libpod
      - /usr/bin/podman
    - lxc
      - /usr/bin/lxc-attach
      - /usr/bin/lxc-create
      - /usr/bin/lxc-destroy
      - /usr/bin/lxc-execute
      - /usr/bin/lxc-start
      - /usr/bin/lxc-stop
      - /usr/bin/lxc-unshare
      - /usr/bin/lxc-usernsexec
    - mmdebstrap
      - /usr/bin/mmdebstrap
    - ocproxy
      - /usr/bin/vpnns
    - qt6-webengine
      - /usr/lib/qt6/libexec/QtWebEngineProcess
    - qtwebengine-opensource-src
      - /usr/lib/@{multiarch}/qt5/libexec/QtWebEngineProcess
    - rootlesskit
      - /usr/bin/rootlesskit
    - rpm
      - /usr/bin/rpm
    - runc
      - /usr/sbin/runc

  
  The usage of CLONE_NEWUSER within the following packages were not able to be analysed fully and so profile are included for all relevant binaries:

    - rust-virtiofsd
      - /usr/libexec/virtiofsd
    - sbuild
      - /usr/bin/sbuild
      - /usr/bin/sbuild-abort
      - /usr/bin/sbuild-apt
      - /usr/bin/sbuild-checkpackages
      - /usr/bin/sbuild-clean
      - /usr/bin/sbuild-createchroot
      - /usr/bin/sbuild-distupgrade
      - /usr/bin/sbuild-hold
      - /usr/bin/sbuild-shell
      - /usr/bin/sbuild-unhold
      - /usr/bin/sbuild-update
      - /usr/bin/sbuild-upgrade
      - /usr/sbin/sbuild-adduser
      - /usr/sbin/sbuild-destroychroot  
    - slirp4netns
      - /usr/bin/slirp4netns
    - stress-ng
      - /usr/bin/stress-ng
    - systemd
    - thunderbird
      - /usr/bin/thunderbird
    - toybox
      - /bin/toybox
    - trinity
      - /usr/bin/trinity
    - tup
      - /usr/bin/tup
    - userbindmount
      - /usr/bin/userbindmount
    - uwsgi
      - /usr/bin/uwsgi-core
    - vdens
      - /usr/bin/vdens

  Finally as noted in https://bugs.launchpad.net/ubuntu/+source/linux-
  meta-nvidia-5.19/+bug/2017980 the popular third-party application
  Google Chrome also requires unprivileged user namespaces:

    - google-chrome
      - /opt/google/chrome/chrome

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315/+subscriptions