As seen in
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036302 it turns
out the lxc package already shipped a profile in
/etc/apparmor.d/usr.bin.lxc-create - so this profile itself needs to be
updated to add the userns permission and declare the new ABI in lxc in
mantic.
** Also affects: lxc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2035315
Title:
Unprivileged user namespace restrictions break various applications
Status in apparmor package in Ubuntu:
Fix Released
Status in lxc package in Ubuntu:
New
Bug description:
When the unprivileged user namespace restrictions are enabled, various
applications within and outside the Ubuntu archive fail to function,
as they use unprivileged user namespaces as part of their normal
operation.
A search of the Ubuntu archive for the 23.10 release was performed
looking for all applications that make legitimate use of the
CLONE_NEWUSER argument, the details of which can be seen in
https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502
For each package identified in that list, an investigation was made to
determine if the application actually used this as an unprivileged
user, and if so which of the binaries within the package were
affected.
The full investigation can be seen in
https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately
private) but is summarised to the following list of Ubuntu source
packages, with the affected binaries as noted. NOTE that due to time
constraints for some packages it was not possible to finish the
complete investigation and so for those *all* the binaries from the
package are listed below.
For each of these binaries, an apparmor profile is required so that
the binary can be granted use of unprivileged user namespaces - an
example profile for the ch-run binary within the charliecloud package
is shown:
$ cat /etc/apparmor.d/usr.bin.ch-run
abi <abi/4.0>,
include <tunables/global>
/usr/bin/ch-run flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.ch-run>
}
However, in a few select cases, it has been decided not to ship an apparmor
profile, since this would effectively allow this mitigation to be bypassed. In
particular, the unshare and setns binaries within the util-linux package are
installed on every Ubuntu system, and allow an unprivileged user the ability to
launch an arbitrary application within a new user namespace. Any malicious
application then that wished to exploit an unprivileged user namespace to
conduct an attack on the kernel would simply need to spawn itself via `unshare
-U` or similar to be granted this permission. Therefore, due to the ubiquitous
nature of the unshare (and setns) binaries, profiles are not planned to be
provided for these by default. Similarly, the bwrap binary within bubblewrap is
also installed by default on Ubuntu Desktop 23.10 and can also be used to
launch arbitrary binaries within a new user namespace and so no profile is
planned to be provided for this either.
Those packages for which either a profile is not required or which a
profile is not planned are listed below, whilst the list of packages
that require a profile (and their associated binaries) is listed at
the end:
Packages that use user namespaces but for which a profile is not
required or not planned:
- bubblewrap
- /usr/bin/bwrap (NOT PLANNED AS NOTED ABOVE)
- cifs-utils
- /usr/sbin/cifs.upcall (NOT REQUIRED AS IS EXECUTED AS root)
- consfigurator # NOT REQUIRED, NO BINARIES OR reverse-depends
- criu
- /usr/sbin/criu (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
- docker.io-app
- /usr/bin/dockerd (NOT REQUIRED SINCE RUNS AS root)
- firejail
- /usr/bin/firejail (NOT REQUIRED SINCE is suid root)
- golang-github-containers-storage
- /usr/bin/containers-storage (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
- golang-gvisor-gvisor
- /usr/bin/runsc (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
- guix
- /usr/bin/guix-daemon (NOT REQURIED SINCE RUNS AS root)
- libvdestack # NOT REQUIRED, NO BINARIES OR reverse-depends
- libvirt # NOT REQUIRED SINCE USES lxc WHICH WILL HAVE A PROFILE
- network-manager # NOT REQUIRED SINCE CODE IS UNUSED
- nix # APPEARS UNNEEDED IN DEFAULT CONFIGURATION
- ocaml-extunix # NO BINARIES OR reverse-depends
- passt
- /usr/bin/passt # IS EXPECTED TO BE EXECUTED AS root
- rust-rustix # NO BINARIES AND CODE IS UNUSED IN THE ARCHIVE
- util-linux
-
Packages that use unprivileged user namespaces which require a profile (or
already have one as part of the previous apparmor update in
4.0.0~alpha2-0ubuntu1 via LP: #2030353):
- bazel-bootstrap
- /usr/libexec/@{multiarch}/bazel/linux-sandbox
- busybox
- /usr/bin/busybox
- charliecloud
- /usr/bin/ch-checkns (included in 4.0.0~alpha2-0ubuntu1 via LP: #2030353)
- /usr/bin/ch-run (included in 4.0.0~alpha2-0ubuntu1 via LP: #2030353)
- crun
- /usr/bin/crun (included in 4.0.0~alpha2-0ubuntu1 via LP: #2030353)
- flatpak
- /usr/bin/flatpak
- golang-github-containers-buildah
- /usr/bin/buildah
- libcamera
- /usr/bin/cam
- /usr/bin/ipa_verify
- /usr/bin/lc-compliance
- /usr/bin/libcamerify
- /usr/bin/qcam
- libpod
- /usr/bin/podman
- lxc
- /usr/bin/lxc-attach
- /usr/bin/lxc-create
- /usr/bin/lxc-destroy
- /usr/bin/lxc-execute
- /usr/bin/lxc-start
- /usr/bin/lxc-stop
- /usr/bin/lxc-unshare
- /usr/bin/lxc-usernsexec
- mmdebstrap
- /usr/bin/mmdebstrap
- ocproxy
- /usr/bin/vpnns
- qt6-webengine
- /usr/lib/qt6/libexec/QtWebEngineProcess
- qtwebengine-opensource-src
- /usr/lib/@{multiarch}/qt5/libexec/QtWebEngineProcess
- rootlesskit
- /usr/bin/rootlesskit
- rpm
- /usr/bin/rpm
- runc
- /usr/sbin/runc
The usage of CLONE_NEWUSER within the following packages were not able to be
analysed fully and so profile are included for all relevant binaries:
- rust-virtiofsd
- /usr/libexec/virtiofsd
- sbuild
- /usr/bin/sbuild
- /usr/bin/sbuild-abort
- /usr/bin/sbuild-apt
- /usr/bin/sbuild-checkpackages
- /usr/bin/sbuild-clean
- /usr/bin/sbuild-createchroot
- /usr/bin/sbuild-distupgrade
- /usr/bin/sbuild-hold
- /usr/bin/sbuild-shell
- /usr/bin/sbuild-unhold
- /usr/bin/sbuild-update
- /usr/bin/sbuild-upgrade
- /usr/sbin/sbuild-adduser
- /usr/sbin/sbuild-destroychroot
- slirp4netns
- /usr/bin/slirp4netns
- stress-ng
- /usr/bin/stress-ng
- systemd
- thunderbird
- /usr/bin/thunderbird
- toybox
- /bin/toybox
- trinity
- /usr/bin/trinity
- tup
- /usr/bin/tup
- userbindmount
- /usr/bin/userbindmount
- uwsgi
- /usr/bin/uwsgi-core
- vdens
- /usr/bin/vdens
Finally as noted in https://bugs.launchpad.net/ubuntu/+source/linux-
meta-nvidia-5.19/+bug/2017980 the popular third-party application
Google Chrome also requires unprivileged user namespaces:
- google-chrome
- /opt/google/chrome/chrome
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
