Deny CLONE_NEWUSER (restrict namespaces) #4939
Comments
|
If anyone wants to play (on x86-64 systems!):
sourceCargo.toml: [package]
name = "deny_clone_newuser_test"
version = "0.1.0"
edition = "2021"
[dependencies]
libc = "0.2"
libseccomp = "0.2.2"src/main.rs: use libseccomp::{get_syscall_from_name, scmp_cmp, ScmpAction, ScmpArgCompare, ScmpFilterContext};
use std::io;
fn main() -> Result<(), Box<dyn std::error::Error>> {
type SyscallBlocklist = &'static [(&'static str, i32, &'static [ScmpArgCompare])];
const EPERM: i32 = libc::EPERM;
const ENOSYS: i32 = libc::ENOSYS;
const CLONE_NEWUSER: u64 = libc::CLONE_NEWUSER as u64;
#[rustfmt::skip]
const DENY_CLONE_NEWUSER: SyscallBlocklist = &[
("clone", EPERM, &[scmp_cmp!($arg0 & CLONE_NEWUSER == CLONE_NEWUSER)]),
("clone3", ENOSYS, &[]),
("unshare", EPERM, &[scmp_cmp!($arg0 & CLONE_NEWUSER == CLONE_NEWUSER)]),
];
let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?;
for &(syscall, errno, comparators) in DENY_CLONE_NEWUSER {
let syscall_nr = get_syscall_from_name(syscall, None)?;
let action = ScmpAction::Errno(errno);
ctx.add_rule_conditional(action, syscall_nr, comparators)?;
}
//ctx.export_pfc(&mut io::stdout())?;
ctx.export_bpf(&mut io::stdout())?;
Ok(())
} |
|
Good idea. I'd suggest a more generic command like systemd's |
|
Looking at https://github.com/systemd/systemd/blob/ee6fd6a50922d2b27c97084e1c3f9872d495c273/src/shared/seccomp-util.c#L1206 this sums up to if restrict_namespaces == ALL:
# Block setns unconditionally because it is useless if all namespaces are disallowed.
setns -> EPERM
else:
# Otherwise block `arg1 == 0` which has the special meaning 'setns all namespaces'
# allowing to bypass this restriction.
setns(_, 0) -> EPERM
for restricted_namespace in restricted_namespaces:
# Block unshare and setns calls which try to unshare/setns a restricted namespace.
unshare(restricted_namespace) -> EPERM
setns(_, restricted_namespace) -> EPERM
# Block clone calls which try to unshare a restricted namespace.
# NOTE: The interface of `clone` is different on different architectures.
clone(restricted_namespace, ...) -> EPERM
# Not in systemds `seccomp_restrict_namespaces` but should be blocked to see
# https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
# CVE-2021-41133
# https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330
clone3 -> ENOSYS |
|
So after CVE-2022-0185 here's the next one CVE-2022-25636. |
|
An the list continues with CVE-2022-1015. |
|
Every month the same. And I don't even track all. |
|
Just posting this here because it might be of interest: |
|
Is someone working on this one or intends to do so? If not I would be interested in taking it. Maybe we can also set |
Or even better, unshare two user namespaces: The first user namespace only exists to impose limits on future namespace creation, by doing the equivalent of This requires a non-privileged version of Firejail though, so we need the seccomp filter as well. |
|
And more CVEs mitigated by this feature: CVE-2023-1281, CVE-2023-1829 |
Is your feature request related to a problem? Please describe.
N/A
Describe the solution you'd like
An command (e.g.
nonewuser) which blocks calls toclone(and others likeunshare) ifCLONE_NEWUSERis set.Describe alternatives you've considered
N/A
Additional context
Flatpak does this for example.
The text was updated successfully, but these errors were encountered: