User namespaces allow unprivilegrd user apps to interact with the kernel like they normally couldnt. Access filesystem drivers, networking and more.
This opens a ton of attack surface and has resulted in a lot of exploits leading to privilege escalation to root. Actually more than root, as root users can still be SELinux confined, but the kernel has highest privileges and no protections between its components.
I found this video interesting, where 2 devs explain the issue, and how they restrict user namespace creating apps using AppArmor, to minimize this attack surface.
He also mentions the danger of allowing apps from user-writable locations to use user namespaces, as an attacker could overwrite that location.
I think secureblue has done the same here but with SELinux?
They added rules that only SELinux confined processes can create user namespaces.
They also replace suid
with capabilities, see this script.
What do you think of this approach?
Even though selinux confined users are not there yet, restricting user namespaces sounds essential to me.
The situation is complicated. Firefox relies on them with no fallback apart from seccomp-bpf (which is why the Flatpak should not be promotes as secure). Distrobox, toolbx, podman, Flatpak, the whole ecosystem relies on these.
But even if the concept might not be fully flawed (which many people say), fixing this sounds crucial, to have Fedora as a leading secure distro.
It seems like Ubuntu already has this implemented, with a user facing app for troubleshooting.
This talk might interest you too