oss-sec mailing list archives
Re: Linux: Disabling network namespaces
From: Mickaël Salaün <mic () digikod net>
Date: Fri, 17 May 2024 17:25:41 +0200
On Mon, Apr 15, 2024 at 11:33:32PM +0000, Jordan Glover wrote:
On Monday, April 15th, 2024 at 5:47 PM, Simon McVittie <smcv () debian org> wrote:On Mon, 15 Apr 2024 at 17:13:09 +0200, Solar Designer wrote: I am not a kernel developer, so this is second-hand information; but I believe the implementation of kernel.unprivileged_userns_clone used in Debian (and subsequently copied from Debian by various other distros) is derived from patches that were already proposed and rejected upstream, so the feeling was that trying again to upstream that feature would be a waste of time and upstream goodwill, because it would just get rejected again by the same kernel maintainer.Perhaps it's best to link old article covering the situation back then: https://lwn.net/Articles/673597/ And yes, current kernel maintainers are biggest proponents of unpriv userns so any restriction is rather impossible sell.
Landlock [1] could be extended to control user namespace creation the same way we will be able to deny socket creation [2]. I'll definitely consider any relevant sandboxing feature such as user namespace and fine-grained capability control (that cannot already be done with existing kernel features). Contributions are welcome! [1] https://docs.kernel.org/userspace-api/landlock.html [2] https://github.com/landlock-lsm/linux/issues/6 Regards, Mickaël
Current thread:
- Linux: Disabling network namespaces Solar Designer (Apr 14)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 15)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 15)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 15)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 16)
- Re: Linux: Disabling network namespaces Mickaël Salaün (May 17)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 15)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 15)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 19)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 19)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 20)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 20)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 21)
- Re: Linux: Disabling network namespaces Priedhorsky, Reid (Apr 22)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 21)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 22)