Re: Linux: Disabling network namespaces

[Demi Marie Obenour <demi () invisiblethingslab com>]

On Sun, Apr 14, 2024 at 09:08:55PM +0200, Solar Designer wrote:
> Hi,
>
> Many Linux kernel vulnerabilities including the recently exploited
> Netfilter CVE-2024-1086 require CAP_NET_ADMIN in a namespace, yet a
> typically recommended mitigation is to disable user namespaces (not just
> network namespaces).
>
> Further, while on Debian/Ubuntu it is possible to disable just
> unprivileged user namespaces with the Debian-specific sysctl
> kernel.unprivileged_userns_clone=0, on other distros we'd have to use
> user.max_user_namespaces=0, which (unnecessarily) prevents starting of
> containers even by root.
>
> Fredrik Nystrom on Rocky Linux Mattermost channel Security pointed out
> that it is reasonable to disable just network namespaces with
> user.max_net_namespaces=0 instead, and that the negative effects of
> doing so and how to cope with them are well-documented for Apptainer,
> with its documentation also covering Docker, Podman, and systemd:
>
> https://apptainer.org/docs/admin/latest/user_namespace.html#disabling-network-namespaces
>
> I hope some of us in here find this useful, and maybe we (including
> distros) will start recommending this milder mitigation when sufficient.

Is this still compatible with Firefox?

IMO an ideal solution would be:

1. Provide a privileged helper daemon that sets up containers based on
   user requirements.

2. Port programs that use containers to use this helper.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: