feature request: alternative to user namespace sandbox on Linux #3420
Comments
|
The issue is somewhat solved for the snap application since snap apps use sandboxing as long as they are set up properly. But as you say this is a security flaw for non snap apps. This should still be concidered pretty important though due to the fact that a lot of people doesn’t use snap. It has flaws like being slow, bad font and theme integration and a couple other issues... |
|
@posix4e how does sandboxing on snap work? |
|
"The issue is somewhat solved for the snap application since snap apps use sandboxing as long as they are set up properly. But as you say this is a security flaw for non snap apps." -> Snap also uses userns for security and we now have proper isolation in the snap. That being said, although I am the package maintainer for snap, I'm still concerned about the runtime performance. Dropping UserNS support is a fantasy: I have never gotten a direct answer on why the LD_LIBRARY_PATH attacks wouldn't allow any library, installed and run by a setuid binary to have full root access on the system. I believe this is why chromium is dropping setuid |
|
I think this is the documentation for snap sandboxing: https://docs.snapcraft.io/snap-confinement/6233 However the Flatpak (#1000) would also have sandboxing documentation & reference and they would allow you to host the repository by yourself while in Snap users can only use a single repository at a time. |
|
@Mikaela Let's be a bit more nuiansced. It is particularly interesting to know why we don't recommend the snap. This is because it's not a part of the normal brave build and security reviews (@diracdeltas will have more) not because of a specific limitation of snapcraft vs flatpack. That being said if you are interested in helping with a flatpak, please email because i was going to start on one |
|
Thank you for creating this issue @diracdeltas Of your three potential solutions, I think that re-enabling the Chromium solution is a good stop gap. If Chromium really will deprecate its sandbox, tthat will recreate these same issues for many Linux users, and the Chromium project will have a great deal more resources to resolve it at that time. That said, I think Brave having a sandbox that is superior to what Chromium and other browsers provide is actually a powerful additional unique value proposition to the Brave community who tend to be very serious about security. Option 1 would be really wrong, imho. |
|
It has been two months, with Linux user's security still degraded. Is there any update around this issue? @diracdeltas |
|
I agree with @jacobcantele . |
tildelowengrimm
added
the
packaging
tildelowengrimm
added
the
priority/P5
You refer to a mailing list post from 2017. What are the/any/some current security concerns with the feature? |
No, it isn't. The snap sandbox isn't even comparable to chromium's.
Obviously docker needs it for unprivileged containers.
The linux kernel does not need it. Entire user namespace support for the kernel can easily be dropped just by setting
That's what this issue is trying to solve.
An insecure sandbox with far too large attack surface is not a reason to decrease kernel security for everyone. Besides, firejail doesn't need user namespaces either. netblue30/firejail#425 (comment) netblue30/firejail#9 (comment)
seccomp-bpf filters syscalls. It has absolutely nothing to do with user namespaces.
apparmor also has nothing to do with user namespaces.
Exposing a whole lot of kernel code to unprivileged users is an even bigger step backwards.
Flatpak isn't comparable to chromium's either. Flatpak has a completely broken sandbox. It mounts /home as read-write for most apps meaning to escape you just need to run
It still exposes huge attack surface. Create an unprivileged user namespace with a net namespace and now you have access to the entirety of netfilter code. That mailing list post is still true. You can even ask Micay himself if you want. |
This is fine, but that discussion doesn't actually provide any examples, and a response (https://lists.archlinux.org/pipermail/arch-general/2017-February/043076.html) contradicts all of those claims. Arch have even enabled user namespaces in recent kernels... If someone could show a current vulnerability (ideally with some sort of PoC) then it would make an argument against user namespaces much easier. Referring to historical issues which have since been fixed (or were hypothetical in the first place) isn't an argument against user namespaces, but an argument for testing and bug fixing. |
Many examples were provided in the linked tickets.
That response is by someone who has no idea what they're talking about and was already responded to by Micay. https://lists.archlinux.org/pipermail/arch-general/2017-February/043078.html Read the whole discussion. Stop cherry picking.
It had unprivileged user namespaces disabled by default with a kernel patch for years until very recently.
Here are just a few examples: https://nvd.nist.gov/vuln/detail/CVE-2019-11360 https://www.cvedetails.com/cve/CVE-2018-14646/ https://www.cvedetails.com/cve/CVE-2018-18955/ |
|
This issue has caused a lot of damage to the reputation of Brave in the F/OSS community (look at the issues linking to this one listed up above or the dozens of other threads across various different Linux communities that have removed Brave from their repositories). That alone should be sufficient incentive to take this issue seriously. This issue has now been open for 9 months, without any security fix even being worked on. Please, please take this issue seriously. |
|
That's interesting. Can you point out the communities which don't support
user namespaces? I'd love to reach out and help them with any issues they
may be having. Mind you, this is all my fault not Brave's. Let me provide a
bit of the backstory.
When I worked on muon and did some work with Brave, I actually worked on
the sandbox implementation which was supposed to fix this thread. However,
I refused to implement the setuid sandbox legacy implementation because I
had no idea how to do it in a way I couldn't exploit. Namely the concern I
had was around dynamic library loading in a setuid environment before any
of the rendering threads launch. Dynamic library loading is used by lots of
things like Widevine. I believed it would be against my ethical standards
to implement a setuid brave implementation even though I could not disclose
a 0 day vulnerability publicly to prove my case or make any claims of such
a vulnerability existing.
That being said, since this issue was opened chromium and brave has had a
lot of work done to them. Brave no longer uses muon or any of my code. It
no longer uses the sandbox that I worked on. Perhaps you should check it
out again and see if any of the issues still exist. I think I personally
should take all the damage and Brave is probably fine.
|
Debian, one of the most popular linux distros disables unprivileged user namespaces by default. The Arch Linux linux-hardened kernel disables unprivileged user namespaces. The KSPP recommends to disable them along with tons of other security experts so you can bet many security focused Linux users will be following their advice. And many more.
AT_SECURE is set on setuid/setgid binaries on Linux which prevents that from being exploited entirely. There has not been a single known privilege escalation exploit in chromium's suid sandbox. |
|
In addition to those threads about why the user name spaces are disabled in multiple kernel distributions, here are some of the issues and forum threads I know of that discuss this issue in detail: Privacy Tools removes Brave |
Only allow ptrace from a parent process to its children or via CAP_SYS_PTRACE. To verify sandbox status for Brave, Chrome, Firefox see brave://sandbox, chrome://sandbox, about:support, respectively. Also describe disadvantages of enabling unprivileged user namespaces. Distributions like Debian currently disable unprivileged user namespaces by default to decrease the kernel attack surface for local privilege escalation. See Debian bug #898446. If kept disabled, Brave 1.2+ and Chrome will still enforce namespace sandboxing via their setuid-root helper executable. See brave/brave-browser#3420 and brave/brave-browser#6247. Firefox does not include a setuid-root binary, however, so unprivileged user namespaces are useful to have for defence-in-depth, but not critical. See <https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html>.
Only allow ptrace from a parent process to its children or via CAP_SYS_PTRACE. To verify sandbox status for Brave, Chrome, Firefox see brave://sandbox, chrome://sandbox, about:support, respectively. Also describe disadvantages of enabling unprivileged user namespaces. Distributions like Debian currently disable unprivileged user namespaces by default to decrease the kernel attack surface for local privilege escalation. See Debian bug #898446. If kept disabled, Brave 1.2+ and Chrome will still enforce namespace sandboxing via their setuid-root helper executable. See brave/brave-browser#3420 and brave/brave-browser#6247. Firefox does not include a setuid-root binary, however, so unprivileged user namespaces are useful to have for defence-in-depth, but not critical. See <https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html>.
So, would it be better to use this? Doesn't this give root privileges to the sandbox? |
Root is only used to setup the sandbox. Privileges are dropped after entering it. |
|
@diracdeltas Issue's good to close now that the SUID sandbox fallback is operational, no? |
|
This looks outdated and no longer applicable, closing. Please reopen if necessary, or open a new issue. |
(follow up to #1986 since that issue got closed by my PR to change the Linux sandboxing error message)
Problem:
--no-sandboxflag is passed or user namespaces are enabled.--no-sandbox. In Add more helpful message for running on Debian brave-core#1204, I changed it to tell users they probably need user namespaces enabled. The rationale was that running with any sandbox, even a subpar one, is better than running without any sandbox.The main argument from https://lists.archlinux.org/pipermail/arch-general/2017-February/043066.html is that userns has so many vulnerabilities to the point of being useless, and hence is security theater; in other words we should assume any code that runs with some privileges in a user namespace can run with those privileges on the host itself.
However, if that were true, running Brave in a userns sandbox would be equivalent to running Brave without a sandbox. Does userns actively make security worse? (Other than perhaps luring people into a false sense of security.)
Some potential options:
The text was updated successfully, but these errors were encountered: