Unprivileged user namespace restrictions break various applications

When the unprivileged user namespace restrictions are enabled, various applications within and outside the Ubuntu archive fail to function, as they use unprivileged user namespaces as part of their normal operation.

A search of the Ubuntu archive for the 23.10 release was performed looking for all applications that make legitimate use of the CLONE_NEWUSER argument, the details of which can be seen in https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502

For each package identified in that list, an investigation was made to determine if the application actually used this as an unprivileged user, and if so which of the binaries within the package were affected.

The full investigation can be seen in https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately private) but is summarised to the following list of Ubuntu source packages, with the affected binaries as noted. NOTE that due to time constraints for some packages it was not possible to finish the complete investigation and so for those *all* the binaries from the package are listed below.

For each of these binaries, an apparmor profile is required so that the binary can be granted use of unprivileged user namespaces - an example profile for the ch-run binary within the charliecloud package is shown:

$ cat /etc/apparmor.d/usr.bin.ch-run
abi <abi/4.0>,

include <tunables/global>

/usr/bin/ch-run flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.bin.ch-run>
}

However, in a few select cases, it has been decided not to ship an apparmor profile, since this would effectively allow this mitigation to be bypassed. In particular, the unshare and setns binaries within the util-linux package are installed on every Ubuntu system, and allow an unprivileged user the ability to launch an arbitrary application within a new user namespace. Any malicious application then that wished to exploit an unprivileged user namespace to conduct an attack on the kernel would simply need to spawn itself via `unshare -U` or similar to be granted this permission. Therefore, due to the ubiquitous nature of the unshare (and setns) binaries, profiles are not planned to be provided for these by default. Similarly, the bwrap binary within bubblewrap is also installed by default on Ubuntu Desktop 23.10 and can also be used to launch arbitrary binaries within a new user namespace and so no profile is planned to be provided for this either.

Those packages for which either a profile is not required or which a profile is not planned are listed below, whilst the list of packages that require a profile (and their associated binaries) is listed at the end:

Packages that use user namespaces but for which a profile is not required or not planned:

  - bubblewrap
    - /usr/bin/bwrap (NOT PLANNED AS NOTED ABOVE)
  - cifs-utils
    - /usr/sbin/cifs.upcall (NOT REQUIRED AS IS EXECUTED AS root)
  - consfigurator # NOT REQUIRED, NO BINARIES OR reverse-depends
  - criu
    - /usr/sbin/criu (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
  - docker.io-app
    - /usr/bin/dockerd (NOT REQUIRED SINCE RUNS AS root)
  - firejail
    - /usr/bin/firejail (NOT REQUIRED SINCE is suid root)
  - golang-github-containers-storage
    - /usr/bin/containers-storage (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
  - golang-gvisor-gvisor
    - /usr/bin/runsc (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
  - guix
    - /usr/bin/guix-daemon (NOT REQURIED SINCE RUNS AS root)
  - libvdestack # NOT REQUIRED, NO BINARIES OR reverse-depends
  - libvirt # NOT REQUIRED SINCE USES lxc WHICH WILL HAVE A PROFILE
  - network-manager # NOT REQUIRED SINCE CODE IS UNUSED
  - nix # APPEARS UNNEEDED IN DEFAULT CONFIGURATION
  - ocaml-extunix # NO BINARIES OR reverse-depends
  - passt
    - /usr/bin/passt # IS EXPECTED TO BE EXECUTED AS root
  - rust-rustix # NO BINARIES AND CODE IS UNUSED IN THE ARCHIVE
  - util-linux
    -
Packages that use unprivileged user namespaces which require a profile (or already have one as part of the previous apparmor update in 4.0.0~alpha2-0ubuntu1 via LP: #2030353):

  - bazel-bootstrap
    - /usr/libexec/@{multiarch}/bazel/linux-sandbox
  - busybox
    - /usr/bin/busybox
  - charliecloud
    - /usr/bin/ch-checkns (included in 4.0.0~alpha2-0ubuntu1 via LP: #2030353)
    - /usr/bin/ch-run (included in 4.0.0~alpha2-0ubuntu1 via LP: #2030353)
  - crun
    - /usr/bin/crun (included in 4.0.0~alpha2-0ubuntu1 via LP: #2030353)
  - flatpak
    - /usr/bin/flatpak
  - golang-github-containers-buildah
    - /usr/bin/buildah
  - libcamera
    - /usr/bin/cam
    - /usr/bin/ipa_verify
    - /usr/bin/lc-compliance
    - /usr/bin/libcamerify
    - /usr/bin/qcam
  - libpod
    - /usr/bin/podman
  - lxc
    - /usr/bin/lxc-attach
    - /usr/bin/lxc-create
    - /usr/bin/lxc-destroy
    - /usr/bin/lxc-execute
    - /usr/bin/lxc-start
    - /usr/bin/lxc-stop
    - /usr/bin/lxc-unshare
    - /usr/bin/lxc-usernsexec
  - mmdebstrap
    - /usr/bin/mmdebstrap
  - ocproxy
    - /usr/bin/vpnns
  - qt6-webengine
    - /usr/lib/qt6/libexec/QtWebEngineProcess
  - qtwebengine-opensource-src
    - /usr/lib/@{multiarch}/qt5/libexec/QtWebEngineProcess
  - rootlesskit
    - /usr/bin/rootlesskit
  - rpm
    - /usr/bin/rpm
  - runc
    - /usr/sbin/runc

The usage of CLONE_NEWUSER within the following packages were not able to be analysed fully and so profile are included for all relevant binaries:

  - rust-virtiofsd
    - /usr/libexec/virtiofsd
  - sbuild
    - /usr/bin/sbuild
    - /usr/bin/sbuild-abort
    - /usr/bin/sbuild-apt
    - /usr/bin/sbuild-checkpackages
    - /usr/bin/sbuild-clean
    - /usr/bin/sbuild-createchroot
    - /usr/bin/sbuild-distupgrade
    - /usr/bin/sbuild-hold
    - /usr/bin/sbuild-shell
    - /usr/bin/sbuild-unhold
    - /usr/bin/sbuild-update
    - /usr/bin/sbuild-upgrade
    - /usr/sbin/sbuild-adduser
    - /usr/sbin/sbuild-destroychroot
  - slirp4netns
    - /usr/bin/slirp4netns
  - stress-ng
    - /usr/bin/stress-ng
  - systemd
  - thunderbird
    - /usr/bin/thunderbird
  - toybox
    - /bin/toybox
  - trinity
    - /usr/bin/trinity
  - tup
    - /usr/bin/tup
  - userbindmount
    - /usr/bin/userbindmount
  - uwsgi
    - /usr/bin/uwsgi-core
  - vdens
    - /usr/bin/vdens

Finally as noted in https://bugs.launchpad.net/ubuntu/+source/linux-meta-nvidia-5.19/+bug/2017980 the popular third-party application Google Chrome also requires unprivileged user namespaces:

  - google-chrome
    - /opt/google/chrome/chrome