I am reading a lot about this currently.

Basically:

  • podman, flatpak, some Browsers use user namespaces to isolate activities from the main system
  • they are widely used as a security measurement
  • on Linux Flatpak uses them, as bubblewrap creates new user namespaces for each application
  • Flatpakked browsers cant use user namespaces themselves, as this is not compatible with flatpak. So their security especially in Chromium is reduced.

But that is as far as I go. The hardened Linux Kernel disables user namespaces. There is bubblewrap-suid which avoids using user namespaces.

Unflatpakked browsers are more secure as they can use their builtin sandbox to do things like tab isolation. But does this even work when user namespaces are disabled, or does this also break sandboxing?

Are user namespaces secure, is not using them even worse, what are hidden implications?

I also read that firejail runs as root, so if it has a security hole the sandboxed program can get root privileges. Isnt that the same with bubblewrap-suid ?

  • @_zi
    link
    English
    32 months ago

    Namespaces basically are a sort of kernel enforced isolation. A processes enters a namespace and to that process it might be root on its own machine. Behind the scenes the kernel is kinda translating everything it does so into its own little sandboxed area instead of the root system. But inside that namespaces it legitimately thinks it is the root user and can exercise most of the functional that is only exposed to privileged users. (f course the kernel limits what it can do to only being inside it’s own little space so that alone isn’t an issue.

    When it comes to hardening, the namespaces are not inherently insecure. The difference is in the “attack surface” an unprivileged user has access to through them.

    A simple example of this is mounting a filesystem. Now the user won’t be able to like remount a privileged filesystem or something it’ll be isolated. But let’s say there is a vulnerability in the exact filesystem code in the kernel, your server doesn’t mount any exfat drives and you disallow automounting of anything for hardening. So even if the issue exists an attacker couldn’t exploit it because the exfat code isn’t reachable as normal user. With a user namespaces though a user becomes root of their own little area so they can actually ask the kernel to mount something inside their namespace. So now with a namespace an attacker can get access to exploit their theoretical exfat filesystem vulnerability.

    tl;dr the problem with having namespaces on is it allows unprivileged users access to a lot more “potentially” vulnerable code that could be exploitable.