Bypassing Ubuntu's user-namespace restrictions

by
jzb
from LWN.net on (#6W7JM)

Ubuntu 23.10 and 24.04 LTS introduced a feature using AppArmor torestrict access to user namespaces. Qualys has reportedthree ways to bypass AppArmor's restrictions and enable local users togain full administrative capabilities within a user namespace. Ubuntuhas followed up with a postthat explains the namespace-restriction feature in detail, and saysthese bypasses do not constitute security vulnerabilities.

While a superficial observation of the application of user namespaces may indicate privileged (root level) access, this is a fictitious state that is operating as expected, with access control still mapped to the real (root namespace) user's permissions. As such, these bypasses do not enable more access than what the default Linux kernelunprivileged user namespace feature allows in most Linuxdistributions. They do, however, demonstrate limitations that we arelooking to address in order to strengthen existing protections againstas-of-yet-unknown Linux kernel vulnerabilities.

LWN covered Ubuntu 24.04 LTS last May.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments