GithubSoar

Namespaces

User Namespace & Related

  • The TLDR is that it's a way to isolate user and group IDs between processes, like creating a "mini operating system" inside the real operating system.

  • In a user namespace, a process can think it's running as the root user (with all the usual admin powers), but in reality, it's still a regular user outside of that namespace.

  • This allows AppImages (& Variants) think they have full control, but in fact, they are limited to what the outer system allows.

  • Some distros like Ubuntu disable it using AppArmor for security: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

  • But you can disable that, and just use modern Sandboxing Tools like BubbleWrap & firejail. Or Wrappers like AISAP & Chains

Check

!#Check if it's enabled at Kernel Level
sysctl -n user.max_user_namespaces
#This will print a number
#if it doesn't or it's user.max_user_namespaces = 0, then it's disabled

!#Check if it's enabled/restricted Using unshare : https://man7.org/linux/man-pages/man1/unshare.1.html
unshare --user echo "Username namespaces supported"
#If Suporrted: Username namespaces supported
#If Not: unshare: unshare(0x10000000): Operation not permitted

!#Check if AppArmor|SeLinux is stopping us 
sudo dmesg | grep -E '(selinux|apparmor|security)'
#Look for lines containing words like denied, disallowing etc

Errors & Solutions

[WARN] Your kernel does not support user namespaces

!#Because /proc/self/ns/user on your System, doesn't exist
1. You need to install SUID Bubblewrap into the system
#For RunImage, this solution will work, but for others, refer to others.
# wget "https://bin.pkgforge.dev/$(uname -m)/bwrap" -O "/tmp/bwrap"
# sudo cp -f "/tmp/bwrap" "/usr/bin/bwrap" && sudo chmod u+s "/usr/bin/bwrap"

2. You need to run some Packages (that require usernamespace) as ROOT [NOT RECOMMENDED & DANGEROUS]

3. Install a Kernel with user namespaces support like XanMod kernel -> https://xanmod.org

[WARN] You mustEnableunprivileged_userns_clone

!#Because /proc/sys/kernel/unprivileged_userns_clone == 0
 Enable unprivileged_userns_clone
echo "kernel.unprivileged_userns_clone=1" | sudo tee "/etc/sysctl.d/98-unprivileged-userns-clone.conf"
echo "1" | sudo tee "/proc/sys/kernel/unprivileged_userns_clone"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot

[WARN] You mustEnablemax_user_namespaces

!#Because /proc/sys/user/max_user_namespaces == 0
 Enable max_user_namespaces
echo "user.max_user_namespaces=10000" | sudo tee "/etc/sysctl.d/98-max-user-namespaces.conf"
echo "100000" | sudo tee "/proc/sys/user/max_user_namespaces"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot

[WARN] You mustDisableuserns_restrict

!#Because /proc/sys/kernel/userns_restrict == 1
 Disable userns_restrict
echo "kernel.userns_restrict=0" | sudo tee "/etc/sysctl.d/98-userns.conf"
echo "0" | sudo tee "/proc/sys/kernel/userns_restrict"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot

[WARN] You mustDisableapparmor_restrict_unprivileged_userns

!#Because /proc/sys/kernel/apparmor_restrict_unprivileged_userns == 1
 Disable apparmor_restrict_unprivileged_userns
echo "kernel.apparmor_restrict_unprivileged_userns=0" | sudo tee "/etc/sysctl.d/98-apparmor-unuserns.conf"
echo "0" | sudo tee "/proc/sys/kernel/apparmor_restrict_unprivileged_userns"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot

Examples

Read: https://www.baeldung.com/linux/list-namespaces

Chrome/Chromium

#In Address Bar
chrome://sandbox

Other Apps

#APP_NAME == pkg or the actual binary, & remember to keep the APP RUNNING
lsns -t user -t pid -t net | grep -i "${APP_NAME}"
#Example: lsns -t user -t pid -t net | grep -i "firefox"

#If you get no output, it means it's not enabled/working/supported
Otherwise You will get something like:
PreviousFuseNextZsync

Last updated