[ubuntu-hardened] Firefox's sandbox, restricting user_namespaces(7) - a new User Namespaces for privileged processes entry.

[daniel curtis]

Hello

Both, Debian and Ubuntu provides a Linux kernel with a possibility to
restrict an user_namespaces(7), right? So I would like to ask a question
about 'kernel.unprivileged_userns_clone' sysctl key and change from a
default setting, which is '1' to value '0' and the effects of such
modification.

If I understand it correctly, one of the main reason for implementing user
namespaces was to give a non-root applications access to functionality that
earlier was limited to the root user only.

Because of all security issues found in the past, related to the user
namespaces and since it has opened up a large attack surface to
unprivileged users, e.g. CVE-2016-8655 (introduced in Linux v3.2-rc1 and
fixed in v4.9-rc8) exploitable by arbitrary user if mentioned sysctl key
value was '1' (which is a default setting, by the way), I have some
questions.

(Generally, a mitigation for a mentioned issues is simple; restricting user
namespaces usage only to privileged users by using '0'.)

I changed "kernel.unprivileged_userns_clone" key value from a default '1'
to '0', on my testing machine, running 16.04 LTS Release. Because this step
could have an impact on a containers etc., I decided to check Firefox's
sandbox settings via 'about:support' page. And there was some changes! By
default all four options are set to "true". Let's see;

✗ Seccomp-BPF (System Call Filtering) true
✗ Seccomp Thread Synchronization true
✗ User Namespaces true
✗ Plugin Sandboxing true

But after changing the 'kernel.unprivileged_userns_clone' key value to '0'
and after loading settings with sysctl(8) command and '-p' parameter, an
additional entry appeared and one value had changed to "false". Now it
looks that way:

✗ Seccomp-BPF (System Call Filtering) true
✗ Seccomp Thread Synchronization true
✓ User Namespaces for privileged processes true
✗ User Namespaces false
✗ Plugin Sandboxing true

As we can see, after mentioned change, Firefox's 53.0.3 sandbox has a new
one key for privileged processes. What do you think about this? And what
about Firefox; can this change affect the sandbox in some way? Or maybe
this change is really more secure?

I would like to ask also, what effects can I expecting after this change?
I'm thinking about situation when e.g. there is no containers in use (I
mean LXC, for example), system behavior and so on.

Thanks, best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170607/6bacb6a8/attachment.html>