On 11/16/24 06:42, Sam wrote: > I was wondering about the threats being mitigated by disabling > unprivileged userns like this. After some searching, I was able to find > this rationale: https://discourse.ubuntu.com/t/spec-unprivileged-user- > namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 > > Now my question becomes: On a system where software like podman or > flatpak are installed, wouldn't an unprivileged attacker be able to > trivially leverage that software to work around your apparmor > limitation? Would there be any security benefit in keeping > `kernel.apparmor_restrict_unprivileged_userns` set to 0 with the > presence of such software on the system? > > For context, I'm trying to evaluate my options since we make extensive > use of bwrap in our systems. Currently, all my attempts to fix bwrap > ended with `bwrap: setting up uid map: Permission denied` which was > finally explained when I discovered this bug. >
@samluanch as you noted, container managers like flatpak and podman can indeed be a problem dependent on what their children are allowed to do. Yes if not handled correctly they can be used as a trivial by-pass, which is part of the reason you have run into problems with bwrap. The container manager can be limited, and its children's rights can be mitigated, keeping the manager from being used as a trivial by-pass. There is a bwrap profile hat allows bwrap to function. It however does limit/break some of bwrap. And it has had interactions with flatpak, that lead to it being reverted. There will be another attempt to roll a revised version out. The other part of the answer to your inquiry is, Ubuntu is trying to ship a secure by default configuration. Users are allowed to install, what they want. Change configurations, etc. The user is then opting into a less secure configuration. We will not be setting the restriction to 0 with the installation of such software on the system because it can still block attacks, to by-pass it an attack will have to be tailored to use a software that is not enabled by default, and requires privilege to install. In addition there are configurations of flatpak, and podmap that can work with the restriction, so it very much will depend on your local config. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in Wike: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Fix Committed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in foliate package in Ubuntu: Fix Committed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Fix Released Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Fix Released Status in guix package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Fix Released Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Fix Released Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Fix Released Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Fix Released Status in qutebrowser package in Ubuntu: Fix Released Status in rssguard package in Ubuntu: Fix Released Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Fix Released Status in tellico package in Ubuntu: Fix Released Status in tor package in Ubuntu: Confirmed Status in wike package in Ubuntu: Fix Committed Status in apparmor source package in Noble: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
