In short unprivileged user namespaces a vector for exploit chains, as they expose interfaces that otherwise would not be available.
4 out 5 exploits chains in pwn2own 2022 used unprivileged user namespaces. They were also used in 2021, 2020, ... Yes the actual vulnerabilities were in other interface io_uring, ebpf, nftables, ... but none of them would have been available without unprivileged user namespaces. Previously we only had the option of using a system wide sysctl kernel.unprivileged_userns_clone to disable unprivileged user namespaces. Debian defaults this to off, and you have to opt in. Ubuntu is now moving towards a more fine grained approach where they can be selectively turned on for some applications but aren't generally available. For 22.10 the apparmor sysctl will be defaulted to off, while further packaging work is done for applications that need access to unprivileged user namespaces. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1990064 Title: unconfined profile denies userns_create for chromium based processes Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: For Ubuntu 22.10, since the last kernel update, i canĀ“t launch any chromium based browser, due to apparmor denying userns_create dmesg shows: apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=21323 comm="steamwebhelper" requested="userns_create" denied="userns_create" This happens for every process which uses a chromium engine, like google chrome itself or in this case steamwebhelper. Might be related to this change?: https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/ not sure if it got merged in this form though.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
