search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.71k stars 559 forks source link

nonroot --netns=XXX/--net=XXX is insecure #2830

Open simonfxr opened 5 years ago

simonfxr commented 5 years ago

Using --netns/--net as a non root user is quite useful, however without further access checking it is insecure. It allows any firejail user to join any network namespace or access the net through any device. E.g. some user may run an private openvpn instance in a network namespace (as I do) and a different firejail user can now join the network namespace which is clearly not desirable. I believe --net=XXX (except --net=none of course) poses a similar problem, since it might make it possible to sidestep system routing policies. My suggestion would be to add some access checking, e.g. by introducing new options in firejail.config. E.g. something like

netns_allow <USER>: netns1 netns2 netns3
net_allow <USER>: bridge1 bridge1
rusty-snake commented 5 years ago
  1. firejail is focused on single user desktop systems. Which doesn't mean this isn't a issue. firejail doesn't really separate users (#2768, ...)
  2. You can use restricted-network to full shutdown --net (except of --net=none): 
    # Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no

    or firejail.users to restrict users who are allowed to use it.

  3. To have a netns_allow, net_allow or netns_deny, net_deny or simelar, would be greate.
  4. Figure out if --join-network can used to bypass 3. if a sandbox is running.