OSS-SEC: Three bypasses of Ubuntu's unprivileged user namespace restrictions

Summary

oss-sec mailing list archives Three bypasses of Ubuntu's unprivileged user namespace restrictions From: Qualys Security Advisory <qsa () qualys com> Date: Thu, 27 Mar 2025 17:44:15 +0000 Qualys Security Advisory Three bypasses of Ubuntu's unprivileged user namespace restrictions ======================================================================== Contents ======================================================================== Summary Bypass via aa-exec Bypass via busybox Bypass via LD_PRELOAD Acknowledgments Timeline (advisory sent to the Ubuntu Security Team on January 15, 2025) ------------------------------------------------------------------------ Prologue, from https://grsecurity.net/10_years_of_linux_security.pdf: + February 2013 (v3.8) - Unprivileged User Namespace support added - Greatly increased kernel attack surface, exposed many interfaces that previously saw little security scrutiny + Attack surface exposed by unprivileged user namespaces isn't decreasing anytime soon - Even more functionality being exposed ------------------------------------------------------------------------ ======================================================================== Summary ======================================================================== Ubuntu 23.10 introduced unprivileged user namespace restrictions (the sysctl kernel.apparmor_restrict_unprivileged_userns) and Ubuntu 24.04 enabled them by default. From Alex Murray's excellent blog post at https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts: "Unprivileged user namespaces are a widely used feature of the Linux kernel, providing additional security isolation for applications, and are often employed as part of a sandbox environment. However, [...] unprivileged user namespaces also expose additional attack surfaces within the Linux kernel. There has been a long history of (ab)use of unprivileged user namespaces to exploit various kernel vulnerabilities. For Ubuntu 24.04 LTS, the use of unprivil...