edubuntu-bugs team mailing list archive

Thread
Date

Re: [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

To: edubuntu-bugs@xxxxxxxxxxxxxxxxxxx
From: John Johansen <2046844@xxxxxxxxxxxxxxxxxx>
Date: Sun, 15 Dec 2024 19:58:50 -0000
Reply-to: Bug 2046844 <2046844@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

On 11/16/24 06:42, Sam wrote:
> I was wondering about the threats being mitigated by disabling
> unprivileged userns like this. After some searching, I was able to find
> this rationale: https://discourse.ubuntu.com/t/spec-unprivileged-user-
> namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
> 
> Now my question becomes: On a system where software like podman or
> flatpak are installed, wouldn't an unprivileged attacker be able to
> trivially leverage that software to work around your apparmor
> limitation? Would there be any security benefit in keeping
> `kernel.apparmor_restrict_unprivileged_userns` set to 0 with the
> presence of such software on the system?
> 
> For context, I'm trying to evaluate my options since we make extensive
> use of bwrap in our systems. Currently, all my attempts to fix bwrap
> ended with `bwrap: setting up uid map: Permission denied` which was
> finally explained when I discovered this bug.
> 

@samluanch as you noted, container managers like flatpak and podman
can indeed be a problem dependent on what their children are allowed
to do. Yes if not handled correctly they can be used as a trivial
by-pass, which is part of the reason you have run into problems
with bwrap.

The container manager can be limited, and its children's rights
can be mitigated, keeping the manager from being used as a trivial
by-pass. There is a bwrap profile hat allows bwrap to function.
It however does limit/break some of bwrap. And it has had
interactions with flatpak, that lead to it being reverted. There
will be another attempt to roll a revised version out.

The other part of the answer to your inquiry is, Ubuntu is
trying to ship a secure by default configuration. Users are
allowed to install, what they want. Change configurations,
etc. The user is then opting into a less secure configuration.

We will not be setting the restriction to 0 with the installation
of such software on the system because it can still block
attacks, to by-pass it an attack will have to be tailored
to use a software that is not enabled by default, and requires
privilege to install. In addition  there are configurations of
flatpak, and podmap that can work with the restriction, so it
very much will depend on your local config.

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions

References

[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
From: Sam, 2024-11-16