Linux kernel use-after-free in Netfilter, local privilege escalation (opens in new tab)

(seclists.org)

288 pointskuizu3y ago101 comments

101 comments

"We developed an exploit that allows unprivileged local users to start a root shell by abusing the above issue. That exploit was shared privately with <security () kernel org> to assist with fix development. Somebody from the Linux kernel team then emailed the proposed fix to <linux-distros () vs openwall org> and that email also included a link to download our description of exploitation techniques and our exploit source code.

Therefore, according to the linux-distros list policy, the exploit must be published within 7 days from this advisory. In order to comply with that policy, I intend to publish both the description of exploitation techniques and also the exploit source code on Monday 15th by email to this list."

Interesting.. they didn't write what conditions have to be met for it to be exploitable. Also interesting that someone screwed up and accidentally forwarded an email including the exploit to a broad mailing list...

Part of the nf modules are active if you have iptables, which you have if you run ufw (for example), so pretty broad exploit if that's all that's required, but the specific module in question in the patch, nf_tables, is not loaded on my Ubuntu 20.04LTS 5.40 kernel running iptables/ufw at least.

pizzalife3y ago

> but the specific module in question in the patch, nf_tables, is not loaded on my Ubuntu 20.04LTS 5.40 kernel running iptables/ufw at least

This doesn't matter since Linux has autoloading of most network modules, and you can cause the modules to be loaded on Ubuntu since it supports unprivileged user/net namespaces.

  ubuntu:~% grep DISTRIB_DESCRIPTION /etc/lsb-release
  DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"
  ubuntu:~% lsmod|grep nf_table
  ubuntu:~% unshare -U -m -n -r
  ubuntu:~% nft add table inet filter
  ubuntu:~% lsmod|grep nf_table
  nf_tables             249856  0

TacticalCoder3y ago

For comparison, on my Debian Bookworm (aka "testing" but in hard freeze and full freeze in a few days I think, stable release in june) here...

    ...$  lsmod|grep nf_table    (tried without any just to make sure) 
    ...$  unshare -U -m -n -r
    unshare: unshare: failed: Operation not permitted
    ...$  /sbin/nft add table inet filter
    Error: Could not process rule: Operation not permitted
    add table inet filter
    ^^^^^^^^^^^^^^^^^^^^^^

    root #  cat /proc/sys/kernel/unprivileged_userns_clone
    0

veonik3y ago

Yikes... are other popular distros shipping with unprivileged user namespaces enabled by default?

marcthe123y ago

Most, I think Debian has patch to be disabled at runtime via sysctl. The reason is that most containers or sandboxing techniques are root only unless you mix it with user namescapes. So most container or sandbox software use suid(firejail) , root daemon(docker) or user namescapes (podman and flatpak). Looking at the cves, user namespaces is probably the safer option

galangalalgol3y ago

That is part of enabling rootless containers on rhel or similar.

1 more reply

failsecure3y ago

Yes and this decision haunts distros like Ubuntu over and over again. There's no easy win though.

touisteur3y ago

Do you need a user namespace? I'd expect a network namespace to be enough. Am I missing something?

Edit: should've read better, this seems to need CLONE_NEWUSER.

1 more reply

jstanley3y ago

> Somebody from the Linux kernel team then emailed the proposed fix to <linux-distros () vs openwall org> and that email also included a link to download our description of exploitation techniques and our exploit source code.

> Therefore, according to the linux-distros list policy, the exploit must be published within 7 days from this advisory. In order to comply with that policy, [...]

What? Someone publishes information about your vuln to a random mailing list, and this somehow creates an obligation on you to follow that mailing list's policies? I don't get it.

batch123y ago

Maybe they consider the exploit is in the wild when sending to a distro that large[0] with recipients that aren't provably trustworthy.

[0] https://oss-security.openwall.org/wiki/mailing-lists/distros

amatecha3y ago

I believe they are referring to this:

https://oss-security.openwall.org/wiki/mailing-lists/distros

> Please note that the maximum acceptable embargo period for issues disclosed to these lists is 14 days. Please do not ask for a longer embargo. In fact, embargo periods shorter than 7 days are preferable.

failsecure3y ago

Maybe linux-distros has a poc or GTFO rule in place to keep the unchecked "I can get root on your box with this one weird trick but I won't tell you how" emails to a minimum. Just a guess though.

jstanley3y ago

That's fine. They didn't want it on linux-distros anyway!

thelastparadise3y ago

I don't think the bug itself is newsworthy. The existence of the exploit code, and the way that it was accidentally published, I think are.

pizzalife3y ago

It's exploitable by an unprivileged user on the most popular distro out there (Ubuntu). I would say it's newsworthy.

hsbauauvhabzb3y ago

What’s actually reasonable here. I’m all for exploit code becoming public eventually, but I think it’s silly to drop it immediately after a fix has been released, or before, in almost all scenarios (unless there’s been 90+ days or the issue marked as wontfix)

sp3323y ago

Odds are that well-resourced attackers already have the exploit by now. Making it public lets users decide if this is important to them and come up with their own mitigations.

j_walter3y ago

Once they issue the patch...it's only a matter of time till a good chunk of reasonably decent coders can develop the exploit. Once the premise is released...yeah the top exploit coders will have this in a few hours.

1 more reply

ikiris3y ago

The link to the exploit accidentally went public. Anyone can have it.

candiddevmike3y ago

What a dumb policy. Why have the disclosure time be so soon? This thing will be in the wild before folks can upgrade if I'm understanding this correctly.

krastanov3y ago

The thing is already in the wild because someone on the private mailing list already accidentally mailed it to the public mailing list.

chasil3y ago

You have a few options for dealing with problems like this.

You can "apt update; apt upgrade" then reboot when a new kernel is available.

Oracle has also offered Ksplice for free on Ubuntu for many years, and I'm sure that patch will be available promptly.

https://ksplice.oracle.com/try/desktop

Otherwise, Kernelcare is available for a fee. I think Canonical also has paid kernel patches.

withinboredom3y ago

There is Ubuntu Pro which is free for up to five servers/desktops, after that, it requires a paid subscription.

explorer833y ago

Based on this 11 month old discussion this has been an exploit vector for sometime - https://groups.google.com/g/linux.debian.bugs.dist/c/ZF9rWY3...

"I vaguely recall at least around 6-7 such holes, and a quick google search seems to reveal that at least those would have been mitigated by unprivileged user namespaces being disabled: CVE-2019-18198 CVE-2020-14386 CVE-2022-0185 CVE-2022-24122 CVE-2022-25636 CVE-2022-1966 resp. CVE-2022-32250"

snvzz3y ago

There's easily thousands of such bugs hidden in the kernel.

Reminder the kernel has over ten million LoCs, or megabytes of object code.

Perhaps we should start thinking about whether it is a good idea to run something this large in supervisor mode, with full privileges.

I wouldn't say it is sensible in a world where seL4 exists.

akvadrako3y ago

It won't make that big of a difference. If you exploit the networking layer you could intercept any local traffic, which will mostly be unencrypted, and communicate with outside attackers. You are probably owned by that point unless you treated localhost as untrusted.

It's like why it doesn't matter if you are running as root or not. The user account has access to whats important, like a database or keychain.

0cf8612b2e1e3y ago

Microkernel does seem the only sensible path forward. Even if the kernel is slowly rustified, going to be playing security whack-a-mole for a long time.

anonymousiam3y ago

Back in the day when the micro-kernel/monolith flamewars were raging, the arguments for monolith were about improved performance and lower memory usage. I haven't seen much discussion on this topic for years, but at least those two arguments have not aged well.

pjmlp3y ago

Mostly because the cloud is based on microkernel like approach regardless of the kernel.

Hypervisors, userspace drivers, containers, language runtime sandboxes, bytecode deployments, driver and kernel sandboxes (safe kernel / driver guard),container only distributions,...

aflag3y ago

Why not? It isn't clear to me why monolithic kernel wouldn't still have better performance.

1 more reply

mananaysiempre3y ago

Spectre and friends seem to have killed Liedtke’s fast synchronous IPC, unfortunately. Of course, there’s still asynchronous IPC, exokernels (perhaps the closest thing to today’s containers), and so on.

CorbetL3y ago

Linux may eventually become a microkernel with most IPC done via io_uring, but it may take 20 years to reach this state.

touisteur3y ago

Right now it seems microvms are the way. Build an extremely minimal tailored kernel+userland for network-facing components. If you don't have nf_tables built-in (and it's not loadable because not present) this vulnerability isn't a problem. I mean, right now to use it one would have to chain it with a RCE on your userland app (or on the kernel but just skip the nf_tables step then...). Then one would have to escape the VM, then if you're using firecracker or crosvm, you'll have to break seccomp. Still imaginable, but by then I guess the next kernel (or userland app) fix release is already available :-) and you're already rebooting your microvm.

If you can CI/CD in minutes a reduced kernel+app and reboot in 100ms your network-facing thing (be it nginx or haproxy) you might just take latest vanilla anyway...

ttarr3y ago

Care to elaborate plz?

How would we go about GPUs, NCs, and many kinds of drivers?

galangalalgol3y ago

For rack servers you could probably get away with a number of microkernel os today. Desktop has clear options in that regard, but you are giving up op n source.

userbinator3y ago

Alternatively, perhaps we should start thinking about whether it is a good idea to have multiple users of different privilege sharing the same hardware.

gizmo6863y ago

"User" in a modern Linux system is just a weird name for "security domain". Many programs run as their own user to limit their ability to attack the rest of the system if they get compromised; and limit the ability of a different compromised component from attacking them.

My desktop, on which I am the only person with an account, has 49 "users", of which 11 are actively running a process.

At work, every daemon we run has a dedicated user.

On android, every app runs as its own user.

thfuran3y ago

What's the alternative, just running all code at ring 0?

Aerbil3133y ago

https://www.theseus-os.com/

userbinator3y ago

IMHO rings 0 + 3 with protections against bugs, and not deliberate malice, is probably the sweet spot.

travis7293y ago

I’ve been thinking this recently as well.

saagarjha3y ago

Who's going to make seL4 perform comparably to Linux?

snvzz3y ago

Why would we need to slow seL4 down?

saagarjha3y ago

I'm not really in the mood for trolling.

2 more replies

phendrenad23y ago

Actually over 30 million LOC

unixhero3y ago

Well it is the kernel.

Gigachad3y ago

We really need to be moving faster on migrating Linux to a safer language which prevents these kinds of issues.

knorker3y ago

> delete an existing nft rule that uses an nft anonymous set. And an example of the latter operation is an attempt to delete an element from that nft anonymous set after the set gets deleted

I'd be very interested to hear how this can be done by an unprivileged user.

Try to race set add/removals, sure, but if it depends on the set itself getting deleted, that seems… harder.

0x006A3y ago

on https://bugzilla.redhat.com/show_bug.cgi?id=2196105 a comment suggests that it might only be possible if you have "unprivileged user namespaces" enabled

pizzalife3y ago

>a comment suggests that it might only be possible if you have "unprivileged user namespaces" enabled

Which is the default on Ubuntu.

chlorion3y ago

It's the default on pretty much any modern Linux system!

1 more reply

AdamJacobMuller3y ago

https://nvd.nist.gov/vuln/detail/CVE-2023-32233

The NIST CVE page points back here. Funny.

Nothing I see so far specifically says how far back this goes, but, https://security-tracker.debian.org/tracker/CVE-2023-32233

Seems to go back really far.

moring3y ago

Honest question: Why did they build an exploit that uses the bug? I always assumed that use-after-free is equivalent to "game over" (i.e. I assumed that local privilege escalation is a given) and it is clear that such a bug must be fixed.

By that I mean, it might be easy or hard to exploit a bug to achieve LPE, but it seems to be redundant to prove that it is possible.

mort963y ago

Making a PoC is a great way to convince both yourself and the maintainers that the bug is actually exploitable in the wild and thus a big fucking deal. Alternatively, you might discover that there are some other things going on which turns out to make the bug unexploitable.

moring3y ago

Let me rephrase my question: Is there actually such a thing as an "unexploitable use-after-free"? How would that look like? How would you reason that it is actually unexploitable?

Context: My experience with C programming is that practically every bug that is related to memory management tends to blow up right into your face, at the most inconvenient time possible.

mort963y ago

Here's a stupid example:

    struct foo *whatever = new_foo();
    // use 'whatever'
    free_foo(whatever);
    if (whatever->did_something) {
        log_message("The whatever did something.");
    }
    // never use 'whatever' after this point

The 'whatever' variable is used after what it points to is freed, but it's not exploitable. Worst case, if new memory gets allocated in its place and an attacker controls the data in the offset of the 'did_something' field, the attacker can control whether we log a message or not, which isn't a security vulnerability.

1 more reply

friendzis3y ago

> How would that look like? How would you reason that it is actually unexploitable?

For use-after-free to be exploitable, by definition an attacker must be able to put arbitrary content at the memory region. This is not always easy: may require certain [mis]configuration, data layout and so on.

> practically every bug that is related to memory management tends to blow up right into your face, at the most inconvenient time possible.

I will not contest this claim, however there is a difference between "blow up" and "exploit". Malicious packet being able to segfault a server is one thing, malicious packet resulting in RCE is quite another. This may be a lost in translation moment when under colloquial use "exploit" does not include DoS.

igo958623y ago

I am developing a sandbox project for Linux desktop applications called bubblejail:

https://github.com/igo95862/bubblejail

In the next not yet released version 0.8.0 there will be a new option to disable a specific namespace type per sandbox. For example, disabling the network namespace would prevent this exploit.

This is more flexible than globally disabling all user namespaces as some programs might use other more harmless namespaces like Steam uses mount namespaces to setup runtime libraries.

alex14fr3y ago

Glad to have sticked with the good old iptables and left CONFIG_NF_TABLES unset in kernel configuration.

sam_lowry_3y ago

Aren't iptables just an emulation layer on top of netfilter?

failsecure3y ago

For modern distros, the nft package includes an alternative binary that takes the place of /sbin/iptables and translates the input to an nft compatible format. As far as the kernel is concerned, iptables is still iptables. Old iptables can be accessed by calling the iptables-legacy binary which will auto load the old iptables ko.

TechBro86153y ago

Yes, AFAIU (not an expert), iptables and nftables are two command line tools and abstractions (chains vs. tables) for interacting with the same underlying netfilter API.

nubinetwork3y ago

I believe at one time they were two separate subsystems, but they got merged in 4.x or 5.x

1 more reply

eikenberry3y ago

Probably depends on the distro. Iptables is a wrapper around nftables in most distros, but probably not all.

smashed3y ago

You can check with: iptables -V

If it says (nf_tables), you are using the compatibility layer from the iptables-nft package.

It works quite well. Apps like Docker that inserts rules using the legacy iptables syntax are oblivious to the fact that they are actually inserting nftables rules.

It also provides an easy migration path. Insert your old rules using your iptables script then list them in the new syntax using nft list ruleset.

The problem is that it works so well that it seems most users just stayed with the iptables syntax and did not bother migrating at all.

1 more reply

fnordpiglet3y ago

Rust needs to be more prominent in the kernel, and where not rust ebpf. The days of hand mangling pointer arithmetic need to end.

eklitzke3y ago

The patch doesn't fix anything with pointer arithmetic: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...

wtallis3y ago

I wouldn't generally expect a use-after-free to result from improper pointer arithmetic; that's the recipe for a buffer overflow. But Rust happens to also be well-known for helping manage object lifetimes, which seems to be what went wrong here.

eklitzke3y ago

I'm not sure if your claim here is correct. The patch is to change call sites like

  priv->set->use++;

To look like:

  nf_tables_activate_set(ctx, priv->set);

Where this function is defined as:

  void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) {
    if (nft_set_is_anonymous(set))
      nft_clear(ctx->net, set);
    set->use++;
  }

So to me (someone who is not an expert in this code) it looks like the fix is checking if the set has the anonymous flag before changing the reference count. I'm not an expert in this code and I could be mistaken, but I think your claim that this would be fixed by Rust object lifetime checking requires better evidence.

3 more replies

j / k navigate · click thread line to collapse

101 comments

l33tman3y ago

pizzalife3y ago

> but the specific module in question in the patch, nf_tables, is not loaded on my Ubuntu 20.04LTS 5.40 kernel running iptables/ufw at least

This doesn't matter since Linux has autoloading of most network modules, and you can cause the modules to be loaded on Ubuntu since it supports unprivileged user/net namespaces.

  ubuntu:~% grep DISTRIB_DESCRIPTION /etc/lsb-release
  DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"
  ubuntu:~% lsmod|grep nf_table
  ubuntu:~% unshare -U -m -n -r
  ubuntu:~% nft add table inet filter
  ubuntu:~% lsmod|grep nf_table
  nf_tables             249856  0

TacticalCoder3y ago

For comparison, on my Debian Bookworm (aka "testing" but in hard freeze and full freeze in a few days I think, stable release in june) here...

    ...$  lsmod|grep nf_table    (tried without any just to make sure) 
    ...$  unshare -U -m -n -r
    unshare: unshare: failed: Operation not permitted
    ...$  /sbin/nft add table inet filter
    Error: Could not process rule: Operation not permitted
    add table inet filter
    ^^^^^^^^^^^^^^^^^^^^^^

    root #  cat /proc/sys/kernel/unprivileged_userns_clone
    0

veonik3y ago

Yikes... are other popular distros shipping with unprivileged user namespaces enabled by default?

marcthe123y ago

galangalalgol3y ago

That is part of enabling rootless containers on rhel or similar.

1 more reply

failsecure3y ago

Yes and this decision haunts distros like Ubuntu over and over again. There's no easy win though.

touisteur3y ago

Do you need a user namespace? I'd expect a network namespace to be enough. Am I missing something?

Edit: should've read better, this seems to need CLONE_NEWUSER.

1 more reply

jstanley3y ago

> Therefore, according to the linux-distros list policy, the exploit must be published within 7 days from this advisory. In order to comply with that policy, [...]

What? Someone publishes information about your vuln to a random mailing list, and this somehow creates an obligation on you to follow that mailing list's policies? I don't get it.

batch123y ago

Maybe they consider the exploit is in the wild when sending to a distro that large[0] with recipients that aren't provably trustworthy.

[0] https://oss-security.openwall.org/wiki/mailing-lists/distros

amatecha3y ago

I believe they are referring to this:

https://oss-security.openwall.org/wiki/mailing-lists/distros

failsecure3y ago

Maybe linux-distros has a poc or GTFO rule in place to keep the unchecked "I can get root on your box with this one weird trick but I won't tell you how" emails to a minimum. Just a guess though.

jstanley3y ago

That's fine. They didn't want it on linux-distros anyway!

thelastparadise3y ago

I don't think the bug itself is newsworthy. The existence of the exploit code, and the way that it was accidentally published, I think are.

pizzalife3y ago

It's exploitable by an unprivileged user on the most popular distro out there (Ubuntu). I would say it's newsworthy.

hsbauauvhabzb3y ago

sp3323y ago

Odds are that well-resourced attackers already have the exploit by now. Making it public lets users decide if this is important to them and come up with their own mitigations.

j_walter3y ago

1 more reply

ikiris3y ago

The link to the exploit accidentally went public. Anyone can have it.

candiddevmike3y ago

What a dumb policy. Why have the disclosure time be so soon? This thing will be in the wild before folks can upgrade if I'm understanding this correctly.

krastanov3y ago

The thing is already in the wild because someone on the private mailing list already accidentally mailed it to the public mailing list.

chasil3y ago

You have a few options for dealing with problems like this.

You can "apt update; apt upgrade" then reboot when a new kernel is available.

Oracle has also offered Ksplice for free on Ubuntu for many years, and I'm sure that patch will be available promptly.

https://ksplice.oracle.com/try/desktop

Otherwise, Kernelcare is available for a fee. I think Canonical also has paid kernel patches.

withinboredom3y ago

There is Ubuntu Pro which is free for up to five servers/desktops, after that, it requires a paid subscription.

explorer833y ago

Based on this 11 month old discussion this has been an exploit vector for sometime - https://groups.google.com/g/linux.debian.bugs.dist/c/ZF9rWY3...

snvzz3y ago

There's easily thousands of such bugs hidden in the kernel.

Reminder the kernel has over ten million LoCs, or megabytes of object code.

Perhaps we should start thinking about whether it is a good idea to run something this large in supervisor mode, with full privileges.

I wouldn't say it is sensible in a world where seL4 exists.

akvadrako3y ago

It's like why it doesn't matter if you are running as root or not. The user account has access to whats important, like a database or keychain.

0cf8612b2e1e3y ago

Microkernel does seem the only sensible path forward. Even if the kernel is slowly rustified, going to be playing security whack-a-mole for a long time.

anonymousiam3y ago

pjmlp3y ago

Mostly because the cloud is based on microkernel like approach regardless of the kernel.

Hypervisors, userspace drivers, containers, language runtime sandboxes, bytecode deployments, driver and kernel sandboxes (safe kernel / driver guard),container only distributions,...

aflag3y ago

Why not? It isn't clear to me why monolithic kernel wouldn't still have better performance.

1 more reply

mananaysiempre3y ago

CorbetL3y ago

Linux may eventually become a microkernel with most IPC done via io_uring, but it may take 20 years to reach this state.

touisteur3y ago

If you can CI/CD in minutes a reduced kernel+app and reboot in 100ms your network-facing thing (be it nginx or haproxy) you might just take latest vanilla anyway...

ttarr3y ago

Care to elaborate plz?

How would we go about GPUs, NCs, and many kinds of drivers?

galangalalgol3y ago

For rack servers you could probably get away with a number of microkernel os today. Desktop has clear options in that regard, but you are giving up op n source.

userbinator3y ago

Alternatively, perhaps we should start thinking about whether it is a good idea to have multiple users of different privilege sharing the same hardware.

gizmo6863y ago

My desktop, on which I am the only person with an account, has 49 "users", of which 11 are actively running a process.

At work, every daemon we run has a dedicated user.

On android, every app runs as its own user.

thfuran3y ago

What's the alternative, just running all code at ring 0?

Aerbil3133y ago

https://www.theseus-os.com/

userbinator3y ago

IMHO rings 0 + 3 with protections against bugs, and not deliberate malice, is probably the sweet spot.

travis7293y ago

I’ve been thinking this recently as well.

saagarjha3y ago

Who's going to make seL4 perform comparably to Linux?

snvzz3y ago

Why would we need to slow seL4 down?

saagarjha3y ago

I'm not really in the mood for trolling.

2 more replies

phendrenad23y ago

Actually over 30 million LOC

unixhero3y ago

Well it is the kernel.

Gigachad3y ago

We really need to be moving faster on migrating Linux to a safer language which prevents these kinds of issues.

knorker3y ago

> delete an existing nft rule that uses an nft anonymous set. And an example of the latter operation is an attempt to delete an element from that nft anonymous set after the set gets deleted

I'd be very interested to hear how this can be done by an unprivileged user.

Try to race set add/removals, sure, but if it depends on the set itself getting deleted, that seems… harder.

0x006A3y ago

on https://bugzilla.redhat.com/show_bug.cgi?id=2196105 a comment suggests that it might only be possible if you have "unprivileged user namespaces" enabled

pizzalife3y ago

>a comment suggests that it might only be possible if you have "unprivileged user namespaces" enabled

Which is the default on Ubuntu.

chlorion3y ago

It's the default on pretty much any modern Linux system!

1 more reply

AdamJacobMuller3y ago

https://nvd.nist.gov/vuln/detail/CVE-2023-32233

The NIST CVE page points back here. Funny.

Nothing I see so far specifically says how far back this goes, but, https://security-tracker.debian.org/tracker/CVE-2023-32233

Seems to go back really far.

moring3y ago

By that I mean, it might be easy or hard to exploit a bug to achieve LPE, but it seems to be redundant to prove that it is possible.

mort963y ago

moring3y ago

Let me rephrase my question: Is there actually such a thing as an "unexploitable use-after-free"? How would that look like? How would you reason that it is actually unexploitable?

Context: My experience with C programming is that practically every bug that is related to memory management tends to blow up right into your face, at the most inconvenient time possible.

mort963y ago

Here's a stupid example:

    struct foo *whatever = new_foo();
    // use 'whatever'
    free_foo(whatever);
    if (whatever->did_something) {
        log_message("The whatever did something.");
    }
    // never use 'whatever' after this point

1 more reply

friendzis3y ago

> How would that look like? How would you reason that it is actually unexploitable?

> practically every bug that is related to memory management tends to blow up right into your face, at the most inconvenient time possible.

igo958623y ago

I am developing a sandbox project for Linux desktop applications called bubblejail:

https://github.com/igo95862/bubblejail

In the next not yet released version 0.8.0 there will be a new option to disable a specific namespace type per sandbox. For example, disabling the network namespace would prevent this exploit.

This is more flexible than globally disabling all user namespaces as some programs might use other more harmless namespaces like Steam uses mount namespaces to setup runtime libraries.

alex14fr3y ago

Glad to have sticked with the good old iptables and left CONFIG_NF_TABLES unset in kernel configuration.

sam_lowry_3y ago

Aren't iptables just an emulation layer on top of netfilter?

failsecure3y ago

TechBro86153y ago

Yes, AFAIU (not an expert), iptables and nftables are two command line tools and abstractions (chains vs. tables) for interacting with the same underlying netfilter API.

nubinetwork3y ago

I believe at one time they were two separate subsystems, but they got merged in 4.x or 5.x

1 more reply

eikenberry3y ago

Probably depends on the distro. Iptables is a wrapper around nftables in most distros, but probably not all.

smashed3y ago

You can check with: iptables -V

If it says (nf_tables), you are using the compatibility layer from the iptables-nft package.

It works quite well. Apps like Docker that inserts rules using the legacy iptables syntax are oblivious to the fact that they are actually inserting nftables rules.

It also provides an easy migration path. Insert your old rules using your iptables script then list them in the new syntax using nft list ruleset.

The problem is that it works so well that it seems most users just stayed with the iptables syntax and did not bother migrating at all.

1 more reply

fnordpiglet3y ago

Rust needs to be more prominent in the kernel, and where not rust ebpf. The days of hand mangling pointer arithmetic need to end.

eklitzke3y ago

The patch doesn't fix anything with pointer arithmetic: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...

wtallis3y ago

eklitzke3y ago

I'm not sure if your claim here is correct. The patch is to change call sites like

  priv->set->use++;

To look like:

  nf_tables_activate_set(ctx, priv->set);

Where this function is defined as:

  void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) {
    if (nft_set_is_anonymous(set))
      nft_clear(ctx->net, set);
    set->use++;
  }

3 more replies

j / k navigate · click thread line to collapse