Skip to content

Latest commit

 

History

History
152 lines (119 loc) · 6.96 KB

namespaces.md

File metadata and controls

152 lines (119 loc) · 6.96 KB
icon description
square-up-right
User Namespace & Related

Namespaces

{% hint style="warning" %} To better understand why the warnings & why the solutions, it is recommended to read:

Check

{% code overflow="wrap" %}

!#Check if it's enabled at Kernel Level
sysctl -n user.max_user_namespaces
#This will print a number
#if it doesn't or it's user.max_user_namespaces = 0, then it's disabled

!#Check if it's enabled/restricted Using unshare : https://man7.org/linux/man-pages/man1/unshare.1.html
unshare --user echo "Username namespaces supported"
#If Suporrted: Username namespaces supported
#If Not: unshare: unshare(0x10000000): Operation not permitted

!#Check if AppArmor|SeLinux is stopping us 
sudo dmesg | grep -E '(selinux|apparmor|security)'
#Look for lines containing words like denied, disallowing etc

{% endcode %}

Errors & Solutions

{% hint style="info" %}

[WARN] Your kernel does not support user namespaces

{% code overflow="wrap" %}

!#Because /proc/self/ns/user on your System, doesn't exist
1. You need to install SUID Bubblewrap into the system
#For RunImage, this solution will work, but for others, refer to others.
# wget "https://bin.pkgforge.dev/$(uname -m)/bwrap" -O "/tmp/bwrap"
# sudo cp -f "/tmp/bwrap" "/usr/bin/bwrap" && sudo chmod u+s "/usr/bin/bwrap"

2. You need to run some Packages (that require usernamespace) as ROOT [NOT RECOMMENDED & DANGEROUS]

3. Install a Kernel with user namespaces support like XanMod kernel -> https://xanmod.org

{% endcode %}

[WARN] You mustEnableunprivileged_userns_clone

{% code overflow="wrap" %}

!#Because /proc/sys/kernel/unprivileged_userns_clone == 0
❯ Enable unprivileged_userns_clone
echo "kernel.unprivileged_userns_clone=1" | sudo tee "/etc/sysctl.d/98-unprivileged-userns-clone.conf"
echo "1" | sudo tee "/proc/sys/kernel/unprivileged_userns_clone"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot

{% endcode %}

[WARN] You mustEnablemax_user_namespaces

{% code overflow="wrap" %}

!#Because /proc/sys/user/max_user_namespaces == 0
❯ Enable max_user_namespaces
echo "user.max_user_namespaces=10000" | sudo tee "/etc/sysctl.d/98-max-user-namespaces.conf"
echo "100000" | sudo tee "/proc/sys/user/max_user_namespaces"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot

{% endcode %}

[WARN] You mustDisableuserns_restrict

{% code overflow="wrap" %}

!#Because /proc/sys/kernel/userns_restrict == 1
❯ Disable userns_restrict
echo "kernel.userns_restrict=0" | sudo tee "/etc/sysctl.d/98-userns.conf"
echo "0" | sudo tee "/proc/sys/kernel/userns_restrict"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot

{% endcode %}

[WARN] You mustDisableapparmor_restrict_unprivileged_userns

{% code overflow="wrap" %}

!#Because /proc/sys/kernel/apparmor_restrict_unprivileged_userns == 1
❯ Disable apparmor_restrict_unprivileged_userns
echo "kernel.apparmor_restrict_unprivileged_userns=0" | sudo tee "/etc/sysctl.d/98-apparmor-unuserns.conf"
echo "0" | sudo tee "/proc/sys/kernel/apparmor_restrict_unprivileged_userns"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot

{% endcode %}

Examples

{% hint style="info" %} Read: https://www.baeldung.com/linux/list-namespaces {% endhint %}

Chrome/Chromium

#In Address Bar
chrome://sandbox

Chrome Properly Sandboxed in User Namespace

Other Apps

#APP_NAME == pkg or the actual binary, & remember to keep the APP RUNNING
lsns -t user -t pid -t net | grep -i "${APP_NAME}"
#Example: lsns -t user -t pid -t net | grep -i "firefox"

#If you get no output, it means it's not enabled/working/supported
Otherwise You will get something like:

Using lsns to see, Firefox is Properly Sandboxed in User Namespace