ubuntustudio-bugs team mailing list archive

[John Johansen <2046844@xxxxxxxxxxxxxxxxxx>]

On 11/16/24 06:42, Sam wrote:
> I was wondering about the threats being mitigated by disabling
> unprivileged userns like this. After some searching, I was able to find
> this rationale: https://discourse.ubuntu.com/t/spec-unprivileged-user-
> namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
> 
> Now my question becomes: On a system where software like podman or
> flatpak are installed, wouldn't an unprivileged attacker be able to
> trivially leverage that software to work around your apparmor
> limitation? Would there be any security benefit in keeping
> `kernel.apparmor_restrict_unprivileged_userns` set to 0 with the
> presence of such software on the system?
> 
> For context, I'm trying to evaluate my options since we make extensive
> use of bwrap in our systems. Currently, all my attempts to fix bwrap
> ended with `bwrap: setting up uid map: Permission denied` which was
> finally explained when I discovered this bug.
> 

@samluanch as you noted, container managers like flatpak and podman
can indeed be a problem dependent on what their children are allowed
to do. Yes if not handled correctly they can be used as a trivial
by-pass, which is part of the reason you have run into problems
with bwrap.

The container manager can be limited, and its children's rights
can be mitigated, keeping the manager from being used as a trivial
by-pass. There is a bwrap profile hat allows bwrap to function.
It however does limit/break some of bwrap. And it has had
interactions with flatpak, that lead to it being reverted. There
will be another attempt to roll a revised version out.

The other part of the answer to your inquiry is, Ubuntu is
trying to ship a secure by default configuration. Users are
allowed to install, what they want. Change configurations,
etc. The user is then opting into a less secure configuration.

We will not be setting the restriction to 0 with the installation
of such software on the system because it can still block
attacks, to by-pass it an attack will have to be tailored
to use a software that is not enabled by default, and requires
privilege to install. In addition  there are configurations of
flatpak, and podmap that can work with the restriction, so it
very much will depend on your local config.

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in Wike:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Fix Committed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in foliate package in Ubuntu:
  Fix Committed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in guix package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released
Status in tor package in Ubuntu:
  Confirmed
Status in wike package in Ubuntu:
  Fix Committed
Status in apparmor source package in Noble:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions