search

anthraxx / linux-hardened

Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening
Other
573 stars 56 forks source link

Allow use of restricted userns #99

Open valoq opened 1 month ago

valoq commented 1 month ago

Last year Ubuntu started to support a new sysctl kernel.apparmor_restrict_unprivileged_userns that allows the use of user namespaces only if the process is confined by an apparmor profile and includes the permission userns, thereby allowing a restricted use of userns. The required patches allegedly also made it into the upstream kernel.

Recently apparmor version 4 was published and this week made it to arch as well, installing a number of apparmor profiles that include the new userns permission for application that require it, thereby allowing the vanilla arch kernel to use restricted userns by setting kernel.apparmor_restrict_unprivileged_userns to 1

With an increasing number of applications displaying warnings when userns are unavailable and consequently reducing or disabling runtime protection features, it may be a good idea to allow restricted userns in the hardened kernel since now the default apparmor package supports it as well.

For this to work the hardened kernel config would need to include CONFIG_USER_NS_UNPRIVILEGED=y while also setting kernel.apparmor_restrict_unprivileged_userns to 1 by default, thereby arriving at the same restrictions we have now since the restricted userns will only be available for processes running in apparmor, which is not loaded as an lsm by default. While this change wont impact user that do not want userns, it will allow anyone to load the apparmor lsm and use userns for specified applications.

Feature details: https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626

~~Update: The vanilla kernel has kernel.unprivileged_userns_apparmor_policy set to 1 but there seems to be no documentation about it and whether this is equal to kernel.apparmor_restrict_unprivileged_userns Currently looking for more information.~~

valoq commented 3 weeks ago

The feature has yet to make it into the upstream kernel and is expected to possibly arrive in linux 6.14 https://lists.ubuntu.com/archives/apparmor/2024-October/013386.html

Once this is available, I would suggest to use the above described settings by default in linux-hardened to allow the use of userns for apparmor confined processes. Users till have to setup apparmor profiles to enable the use of userns for specified applications, thereby the default does not change