Disabling user namespaces #11
Description
Currently It Is recommended to disable user name spaces completely.
// Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
user.max_user_namespaces = 0
User namespaces are fine till they're used by privileged or root users. Unprivileged user namespaces Is where it gets problematic. They've lead to a lot of CVE's (as listed here) ) most major distributions carry a patch to disable unpriv user namespaces entierly.
However they're used by legit programs for sandboxing such as bubblewrap or the chromium-sandbox. If unpriv user namespaces are disabled by default it requires the programs to be SETUID to work correctly, but this increases the attack surface by alot. chromium-sandbox Is quite big and also written in C++ . That being said, it is possible to restrict user namespaces globally and allow them per-app using SELinux as well as AppArmor (however the patches required are not upstreamed and only included In ubuntu).