Security researchers at Qualys have identified three methods to bypass Ubuntu's unprivileged user namespace restrictions, a security feature introduced in Ubuntu 23.10 and enabled by default in Ubuntu 24.04 LTS.
The restrictions, implemented through AppArmor, were designed to reduce the attack surface of the Linux kernel by limiting unprivileged users' ability to create namespaces with full administrator capabilities.
According to Ubuntu's documentation, unprivileged user namespaces "have been repeatedly used to exploit kernel vulnerabilities," making this restriction an important security hardening measure.
However, Qualys discovered that attackers could circumvent these protections through three distinct methods.
- The first bypass uses the aa-exec tool, which is installed by default on Ubuntu. Researchers found that attackers can use this tool to transition to pre-configured AppArmor profiles that permit the creation of fully-capable user namespaces, such as those for Chrome, Flatpak, or Trinity.
- The second method leverages BusyBox, also installed by default. By executing a BusyBox shell, attackers can run commands that create user namespaces with full capabilities, as BusyBox's AppArmor profile permits this action.
- The third approach employs a
LD_PRELOADtechnique to inject code into programs like Nautilus (the default file manager on Ubuntu Desktop) whose AppArmor profiles allow privileged namespace creation.
Qualys clarifies that these bypasses don't grant privileges outside namespaces but rather allow unprivileged users to gain full capabilities within namespaces—potentially enabling the exploitation of kernel vulnerabilities requiring capabilities such as CAP_SYS_ADMIN.
Security researcher Alex Murray previously described unprivileged user namespaces as having "a long history of (ab)use... to exploit various kernel vulnerabilities" in a blog post about Ubuntu 24.04's security features.
The restrictions were intended to allow applications to use namespaces for isolation while preventing abuse of additional kernel attack surfaces.
Ubuntu's security team emphasizes that these bypasses are not vulnerabilities per se, as the AppArmor protections still provide an additional layer of defense compared to distributions with no restrictions. As Ubuntu notes, "an imperfect protection remains better than no protection at all."
For administrators seeking to further harden their systems, Ubuntu recommends several mitigation strategies. These include enabling the kernel.apparmor_restrict_unprivileged_unconfined sysctl setting to prevent unprivileged processes from changing to more permissive profiles, and removing broad AppArmor profiles for busybox and nautilus if their namespace functionality isn't required.
"We are developing new features that will further decrease the attack surface in the event of unforeseen Linux kernel vulnerabilities," Ubuntu states in their response to the findings. These enhancements will be made available via Stable Release Updates for supported Ubuntu versions and incorporated by default in future releases.