-
-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Help test namespace limit for existing profiles #62
Comments
Looks like Firefox will work just fine with all namespaces disabled. However, this stops it from using its own internal sandboxing features where it runs each thread in its own user, ipc and network namespace. |
... making it less secure because firefox native sandbox can confine dangerous (web content, ...) processes to a bare minimum of system resources. The most (user faceing) programs work with all namespaces disabled. Only programs that sandbox them self (chrom*/electron, firefox, newer webkit2gtk) require them. $ grep -EL "^restrict-namespaces$" $(grep -L "# Redirect" /etc/firejail/*.profile) | wc -l
60
$ grep -El "^restrict-namespaces$" $(grep -L "# Redirect" /etc/firejail/*.profile) | wc -l
580
|
The advantage of using the For example, it looks like Chromium will only ever use 1 extra network namespace. This means CVE-2023-0179 won't be exploitable since even if the malicious process would be able to spawn user namespaces creating the new network namespace would be impossible. Looks like Firefox will be able to use sandboxing with this configuration: [namespaces_limits]
user = -1
mount = 0
pid = 1
ipc = -1
net = -1
time = 0
uts = 0
cgroup = 0
What about Steam? I think it uses namespaces for its run time implementation. |
👍
Steam as a distribution platform has it's own complexity level. It installs and runs games that itself could do a lot. It has some webrendring components. |
What is the benefit of limiting namespaces? What is expected to happen when a program, like Firefox, runs out of namespaces? Would Firefox quit working? Stop sandboxing? Something else? |
Namespaces are a common vulnerability vector in Linux kernel. See CVE-2023-0179 for example.
Definitely not. Most often the program would crash. |
I think I figured out why it For some reason the user namespace fetched from the PID that bubblewrap sends is actually the parent namespace already. This can be fixed with a small check that the subprocess is not already in the owner user namespace. |
Version 0.8.0 has been released with namespace limits service.
Because a lot of applications will fail to run with all namespaces disabled the available profiles had not been given any limits on namespaces. I would like in the next version for profiles to receive a some default namespace limits.
For example, this is a Chromium configuration that I found to work:
Generally the
lsns --tree
command should give a good overview on how the application might use namespaces internally.The text was updated successfully, but these errors were encountered: