I am reading a lot about this currently.

Basically:

  • podman, flatpak, some Browsers use user namespaces to isolate activities from the main system
  • they are widely used as a security measurement
  • on Linux Flatpak uses them, as bubblewrap creates new user namespaces for each application
  • Flatpakked browsers cant use user namespaces themselves, as this is not compatible with flatpak. So their security especially in Chromium is reduced.

But that is as far as I go. The hardened Linux Kernel disables user namespaces. There is bubblewrap-suid which avoids using user namespaces.

Unflatpakked browsers are more secure as they can use their builtin sandbox to do things like tab isolation. But does this even work when user namespaces are disabled, or does this also break sandboxing?

Are user namespaces secure, is not using them even worse, what are hidden implications?

I also read that firejail runs as root, so if it has a security hole the sandboxed program can get root privileges. Isnt that the same with bubblewrap-suid ?