Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp790503lqt; Fri, 19 Apr 2024 10:25:32 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUJM/3pawJ2W3AOyhihhEYxapQEaIkru24JznuN3/zAFcYiqhtFoO1gl6CtNCtjNxnPDjyajbBZghxgbKR0CtJilPePV/8hjm7IYjgNUg== X-Google-Smtp-Source: AGHT+IEwd+8muy/GfvupOYlvdyp9qNX5dDQqUvlsPI4Z/97FT0MLauNoVlTYK2OGSZs+Wx+x97jo X-Received: by 2002:a50:9eee:0:b0:571:be31:500b with SMTP id a101-20020a509eee000000b00571be31500bmr1817670edf.25.1713547532031; Fri, 19 Apr 2024 10:25:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713547532; cv=none; d=google.com; s=arc-20160816; b=NTfMsacET/HrQ7l4sqZN1pDLIBPihIaCqxquBrc2yMzXKbcxQU4FQC5GzKHHceaX/h fKiyi/1tV90rSI1rOLcGWvCJtb0ztEIN1MMuLJDFFlHPqiuY9VlQG1CCOxf0773Y94fU R8cBNnzXW5jW5769Q7sekYEbFkCQZ0BYHfcfqdpJltX+tqvct4FMa/WLQ6LVDj0tbthq i83XsWlqi0QaD43ho+1Y9kkIoBRgX1fYFDdHzxGQzpKud1omIAowQlDoeIZm/y+TttOw DWDaHygVJZbF+94oQFisEq05kWKRoD4Os6vDg/n36tf8PonMmbRqEZEhGd+HJvR62WE1 D9GQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:to:from:date:dkim-signature:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=X8A1+QiPlMeYsXF+lHrzDbS6CrKl1IWb001k2b4fLak=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=Y9c0grkBhUtUVGi/pFEIi1+WktpuI80y5QiQOkhg4V5f5Ge9+1tsro46U3p6075BOk Py80kwcKyxcf2BuidmMRTI30o7hobEochbMpXQkVHSqJMGDEzsr4SHJ/EAu6/NFPtHOI htQ7zLKiTicbo4YHukKcJ8Exb7xzg3U9DRjflpJzFsEEnS5jEYyqaojbkfa751P4LIaf cRWHZOOnMJJ3gTNopadTzrlZv3BE5mB1+aV//RtX3J6fgUhIYe0OdaG59xI3SAX5PL9B IyppQkMIqKRpuqE2/qiqf+3LQu3n+orp9uIYJp0NNjhrYlUDgFM1EuXLyPC8KQuxJEmM WIFA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@debian.org header.s=smtpauto.stravinsky header.b=wJE4i+dQ; spf=pass (google.com: domain of oss-security-return-30057-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30057-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id c19-20020a056402101300b0056e69cc8b01si2348160edu.380.2024.04.19.10.25.31 for ; Fri, 19 Apr 2024 10:25:32 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30057-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@debian.org header.s=smtpauto.stravinsky header.b=wJE4i+dQ; spf=pass (google.com: domain of oss-security-return-30057-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30057-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 22121 invoked by uid 550); 19 Apr 2024 17:25:14 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 22093 invoked from network); 19 Apr 2024 17:25:13 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:To:From:Date:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description; bh=X8A1+QiPlMeYsXF+lHrzDbS6CrKl1IWb001k2b4fLak=; b=wJE4i+dQo0S5aE5U5Nxb1sfpcN XtVED/ofFMVBXtmxCXXgDI74T5h/TFH6NaboCWDNDGQpmjiCETV0nEd7h+4xlx6Zsu21CYgAQGNk5 b+mxVLKRhnORr5fF+NygCIY/hFLD5ZE9nCrb/2pNjE4995Hb7oaMZw07uz3oz0CZHlcVZnQdkEK+a R5ztS5K3i/2gkTbixRYO7VC18+Dy5P9TLDWYchsVMHOpye8Ux3l1mWI0hXHMhiPNkmInanzr3rb+x VtVcE76VlAMJLn4TJ3KPZ02QtYO1DAHj0f93DBI1CD48y8nO7W3/pWWHGlZ6/TR7gN+QmrKsoWs2M KhiSK/Wg==; Date: Fri, 19 Apr 2024 18:25:02 +0100 From: Simon McVittie To: oss-security@lists.openwall.com Message-ID: References: <20240414190855.GA12716@openwall.com> <354b913bc1c154c1e3a2fc34ed8ed6b0d4641f11.camel@canonical.com> <20240419154435.GA7046@openwall.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240419154435.GA7046@openwall.com> X-Debian-User: smcv Subject: Re: [oss-security] Linux: Disabling network namespaces On Fri, 19 Apr 2024 at 17:44:35 +0200, Solar Designer wrote: > I guess > systemd's PrivateNetwork services generally don't configure networking > (they just give up network access), so would continue to work even with > capabilities disallowed? I can't speak for systemd's PrivateNetwork services, but for the bubblewrap use-cases that I described elsewhere in the thread (Flatpak, libgnome-desktop etc.), `bwrap --unshare-net` does bring up the "lo" interface with address 127.0.0.1 and a route to 127.0.0.0/8 before it relinquishes its capabilities and execs the sandboxed program. Presumably this is because it's common for ordinary user-space applications to assume that they can "talk to themselves" via loopback, even if there is no external connectivity. smcv