Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp295529lqb; Tue, 16 Apr 2024 16:41:23 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU7ZIAMAnYnUYI5EhoE+aY1I42fniLVE/OGtLTnYLgRJ7tUzNUqjLJKHkqC6Rp/1DjHaud2dTnp3y+//eeQMfbPZGUIQrGWU4S/kvkYuQ== X-Google-Smtp-Source: AGHT+IHidbaYPaCwo60fkj2AdHgXEpHBaSVw8eYPXmpDsjBMw0KPz/aIiMrBa8ODaNyp1Nqf7qKo X-Received: by 2002:a0c:fa4b:0:b0:69b:1dd3:3610 with SMTP id k11-20020a0cfa4b000000b0069b1dd33610mr13915984qvo.49.1713310882914; Tue, 16 Apr 2024 16:41:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713310882; cv=none; d=google.com; s=arc-20160816; b=tY8k54ZYHLSCD3FkaO6HfEZRVj5vqWtw/Ne+AGUnoWp+xZHzIWMXdQfVW3GAGxo3u9 ThyXSSR8ggmgqsu0Rj1/r7DZFiJ3Ef80GGVz3a1N/iCHGSI6I78j+hvH2T9DQranqY4K eNhaFlliQCiqpBAptgTTLBywt0LFPHkwnb1YSx/VWB6U0yyrWhXmeyfdYwvXpA0AjlOv pEdaQ9NXD3uTkYufeo8oe98ZV0kXAVPdWLmFNIVaY6tXpp2PVxskGDCO+10OrJvA/rnF s1gNgSk/5cPJ8AD2VAkX/zaTnMhdO/aSioj4PyLHXJpMGP6k8YzC6QCeqzyxYi+66o5K o+Xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:to:from:date:feedback-id:dkim-signature:dkim-signature :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=1Ixz0TpNs/QfYO6Dx2fO8RQYxynnpkUF3NvdIprK8I4=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=oqSouOxVIdLjiy0im5to39CULX0jutvVDTsvdUUNaiYaG53jztk79uNZgurNkXwvOD bawvTWiXHBBQQ98bD9IbzRN7oiJEyOGVfrF7oDwmX3MbizdooGV/PbkwMqvgY4yLnxdE vVC16Lep3vZvdeb74pCfWLhOCIYI9W61/g1GnbSvdE/3yll/uGSEx5o31S4LAJUgGN7I thl7+bLfaicZbqJrrSIct3yZQo7W7CxOBJvzxz4Pg2OpkKh8JC4H7bWRIdaMUGYLaQ5x GPnZPGiMilUEVp8KOC7jQ8I9mX73Vi793w4wfU9Ox3zxSNntt+kpO6lli1VRH+YNONfX xRyw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@invisiblethingslab.com header.s=fm2 header.b=U4a0p335; dkim=neutral (body hash did not verify) header.i=@messagingengine.com header.s=fm2 header.b=iioboSXM; spf=pass (google.com: domain of oss-security-return-30037-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30037-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id dd14-20020ad4580e000000b00690b67ee92asi13309301qvb.460.2024.04.16.16.41.22 for ; Tue, 16 Apr 2024 16:41:22 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30037-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@invisiblethingslab.com header.s=fm2 header.b=U4a0p335; dkim=neutral (body hash did not verify) header.i=@messagingengine.com header.s=fm2 header.b=iioboSXM; spf=pass (google.com: domain of oss-security-return-30037-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30037-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 31852 invoked by uid 550); 16 Apr 2024 23:41:02 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 9599 invoked from network); 16 Apr 2024 23:14:05 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1713309234; x=1713395634; bh=GFAtfz8hbvmrhC89O+R8cgANLTSODwY+L4APfkbLuX8=; b= U4a0p335s0fOvOm7pI73dHIjN6ifO226hdC5SNs1WQx68wOxysz2jeAJNKxGz2W9 AyNeq6p1AaM1t4yKDzTROtHUlT4N1a4LfGVMabqOML4T4aNbVbyJRzPSX/upt/Cj EYQq1SMfll1NwriijbRE/yJGtr/c1gbw19Zq0iDdx3iYMfCvTieg6Bfvfbv51y1u 1LalqyD+joHU+w5l9seaHDIrO1roeLNQ3IIckQrD7Cy/ELJx9fjwZOl68WlZtRS9 +bmR0GrFUJ3yFZjIDq5/HsaqQMMooUsWMqzqw4Uh+HTpwdLQKbt8LEho7CxrDMhZ tVgRblowxmaGQti6K6RSXw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1713309234; x=1713395634; bh=GFAtfz8hbvmrhC89O+R8cgANLTSO DwY+L4APfkbLuX8=; b=iioboSXM3v2fKBRyz8peOAUOjxGl7oTIM9EUefJkT7ZY +cxOlVy+VaS7cgLXLthpfrNYcih+Rhlx/Zbz9+x1t9gyGvDSMEjg3rsm2B2ldgm6 0gozur3YfAppn1DH0FDV14NmNFFrL2/mFFc0WkArkwayEFgGgRoO2a2EeOI444v9 NnmI3TCdVGaIqWwASplSTewiZKZyn5aOTDTCLk7FDGqg6/XS/W+iPI/RxxWAWh0p jQre7NYn9sVvvbt9jLcbrOUyogxY1aHVWUOnXXUJr4ZNUtxGXYpDR9sJKCCEYDN+ dPNalWXtSYBs5ruj9uAEktbSV5LbFKRHxEvfnKBk7A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudejjedgudeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesghdtre ertddtvdenucfhrhhomhepffgvmhhiucforghrihgvucfqsggvnhhouhhruceouggvmhhi sehinhhvihhsihgslhgvthhhihhnghhslhgrsgdrtghomheqnecuggftrfgrthhtvghrnh epjeegteegleeludekheehteekvdetueeiteeukedtheehgeetkefhkeejleejueefnecu ffhomhgrihhnpeguvggsihgrnhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhgshhl rggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail Date: Tue, 16 Apr 2024 19:13:50 -0400 From: Demi Marie Obenour To: oss-security@lists.openwall.com Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="/f77bwQcLX6RBsLo" Content-Disposition: inline In-Reply-To: Subject: Re: [oss-security] Linux: Disabling network namespaces --/f77bwQcLX6RBsLo Content-Type: text/plain; protected-headers=v1; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Date: Tue, 16 Apr 2024 19:13:50 -0400 From: Demi Marie Obenour To: oss-security@lists.openwall.com Subject: Re: [oss-security] Linux: Disabling network namespaces On Tue, Apr 16, 2024 at 11:31:43PM +0200, Philippe Cerfon wrote: > Hey. >=20 > There's even an allegedly "wontfix" bug of mine where I requested that > Debian switches back to a secure default and disables user namesapce which > have a long history of being exploitable: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D1012547 >=20 > Don't think the current hole one will have been the last one. >=20 > Unfortunately it seems a feature that only a group of people will need is > valued more important than keeping users secure. :-( The problem with disabling unprivileged userns is that in the desktop Linux case it actually causes serious problems, because creating a sandbox is now a privileged operation. IMO Landlock + seccomp is a much better solution for sandboxing, but I don't think it can do everything browsers need yet. For containers, I'm not aware of a good solution right now. --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab --/f77bwQcLX6RBsLo Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmYfBjAACgkQsoi1X/+c IsEWmhAAkAXDK8vmAZCQXYgTeJNVkYgvxaMH7HDUMrGlFiiRiQUKyeiEs1iFC0+m rQe/aEurDX8/RX9NHQmki66KVCsDqWaQJG4f9txA7zmJU61eUTQUqs32oI20xWzS Ii6MOS/3EEzEWVP8trXLguYHidkwLcz0nHZfFdYdRvxMBT6of4oxQQLAI/R78Fc1 8vuFg4bPeHxIa4b/QBk0YA/FuCNvKWgOkUiCVumEpFgGQNq5x2XwxQsw66YuA9kM 1i3vSktZ6b6gz2KxFYcBCZ8EZg5txWiy9vRYgk8gosdGRjB3m2rCgbU+2bv9yJ0a XjBf0Gh3GJMGu1j4+LL6qgsFd5UFOxyR7oXdkPa6VFiuqyNg/x+GYyurvuN8FkSU UuCrWb62OcOVMEnclJj4klMwonYxYxxkLEfB335jxrN6SQV6rNfhNzVxmBmMYxYc 3Ce+7cA5VU5uz/ArJKe8ga+HhxN23LPc8gfs17PVa8LE4e21e5zArX92QnbfipHh pm7qy9wJvdb3ObhVhUkvMIx+BbTYlh3+R6ePPHzlgHaVwE5M5JO1HM7rZn/j2ViJ gHfXFWt/ePBonHxw/6CE4kL7Fgu9PjNcwSFK+pNZKkXOhTFMMALVNHrGfafhNZmX aj8WNIYSa4VyS9gyhZs5lgf7TVTq4/iJK5LpbGly1Fb39oR163E= =JBZt -----END PGP SIGNATURE----- --/f77bwQcLX6RBsLo--