Canonical announced that they will be implementing changes in Ubuntu 23.10 to limit user access to user namespace, aimed at enhancing the security of systems using container isolation against vulnerabilities that involve manipulations with user namespace. According to data from Google, 44% of exploits participating in their rewards program for identifying Linux kernel vulnerabilities require the ability to create user namespaces.
Instead of completely blocking access to user namespace, Ubuntu has opted for a hybrid approach. Certain programs will be allowed to create user namespaces, provided they have an Apparmor profile with the “Allow Userns Create” rule or Cap_Sys_admin rights. An example is the Chrome profile located at /etc/apparmor.d/opt.google.chrome.chrome, which can serve as a reference for granting user namespace access to other programs.
In the upcoming Ubuntu 23.10 release, access restrictions to user namespace will be offered as an optional feature, not enabled by default. After the release, the developers will collect feedback on the potential negative impact of disabling access to user namespace on package functionality and prepare appropriate Apparmor profiles. Eventually, the restriction will be activated by default in a subsequent Stable Release Update of the kernel package.
To enable the restrictions early, the following commands can be used: sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1 and sudo sysctl –write kernel.apparmor_restrict_unprivileged_unconfined.