oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux: Disabling network namespaces

From: Simon McVittie <smcv () debian org>
Date: Fri, 19 Apr 2024 18:25:02 +0100
On Fri, 19 Apr 2024 at 17:44:35 +0200, Solar Designer wrote:

I guess
systemd's PrivateNetwork services generally don't configure networking
(they just give up network access), so would continue to work even with
capabilities disallowed?


I can't speak for systemd's PrivateNetwork services, but for the
bubblewrap use-cases that I described elsewhere in the thread (Flatpak,
libgnome-desktop etc.), `bwrap --unshare-net` does bring up the "lo"
interface with address 127.0.0.1 and a route to 127.0.0.0/8 before it
relinquishes its capabilities and execs the sandboxed program.

Presumably this is because it's common for ordinary user-space applications
to assume that they can "talk to themselves" via loopback, even if there is
no external connectivity.

    smcv
Previous By Date Next
Previous By Thread Next

Current thread: