Re: Linux: Disabling network namespaces

[Jordan Glover <Golden_Miller83 () protonmail ch>]

On Saturday, April 20th, 2024 at 8:12 PM, Solar Designer <solar () openwall com> wrote:

> Does bubblewrap maybe already relinquish also the ability to create
> nested namespaces, which it probably could do with seccomp? I guess not
> as that would break its usage to sandbox programs like Firefox that also
> create a namespace for their own sandbox. With namespace creation still
> allowed but capabilities ineffective, I guess such programs maybe could
> still work if they don't need to configure networking in the sandbox.

bubblwrap has --disable-userns option which prevents creation of nested namespaces (from manpage):

       --disable-userns
Prevent the process in the sandbox from creating further user namespaces, so that it cannot rearrange the filesystem 
namespace or do other more complex namespace modification. This is currently implemented by setting the 
user.max_user_namespaces sysctl to 1, and then entering a nested user namespace which is unable to raise that limit in 
the outer namespace. This option requires --unshare-user, and doesn't work in the setuid version of bubblewrap.

Flatpak uses this (or seccomp filter) to block nested namespaces as this can bypass security its design. For this 
reason firefox own sandbox doesn't use namespaces in flatpak, see https://bugzilla.mozilla.org/show_bug.cgi?id=1756236

Jordan