Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp943722lqt; Fri, 19 Apr 2024 15:58:43 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXZRnYpYmHJNHnNxInSsYJRxCxkgjQlqhOTpOD71mD/QLPv7s7aE47WIkAlpXrCaqO9D3wzp2jblcLiDZndTIZ2MzibccOyRysu/5aPNA== X-Google-Smtp-Source: AGHT+IH+zDmQXAMpVc5YUR7Nm6qyZTclx002/KbRzFIJOtS3uCYPpztEgGxNzrSL9Uuold/QkvaZ X-Received: by 2002:aa7:d757:0:b0:571:bcbe:8ea8 with SMTP id a23-20020aa7d757000000b00571bcbe8ea8mr5292165eds.15.1713567523550; Fri, 19 Apr 2024 15:58:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713567523; cv=none; d=google.com; s=arc-20160816; b=Z8A4GEGTXlL+hr5mvHgWVDpwpgBEB9Zqbsh1eY3ETQG60lp5L3Ps7Nu1dO4FbI77Kt urehVjztQ3Kl4k3MM/pytRwxDMaoJYNjZ7laxd4+Z6/qEqxdUd3Sx2O7fN7DBKyHjCSp A8ozN8owcO3oPtd8ydvpqkMS852q15OUUF0VPR1gVw0lG7QaDrRaisXlHgWO/hq7EtVM yl0dQtHObMmPoBtXEYt5yqoN0FP4SygtMEOXyA16Cb4DGCslwkl8PnsKPoP8hMEarmUi 0zsf4sN9GI05rXp5u/IBnPcALmlxqwRC+XkNiC/PWzGEoW0kbX+nCXearJI0z+XcK3qJ 6svg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:to:from:date:delivered-to:delivered-to :reply-to:list-id:list-subscribe:list-unsubscribe:list-help :list-post:precedence:mailing-list; bh=N5gpJefrRxwSeb66MtLpgeqCAuldUxnTZ+DqAaQup3I=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=kYgYB8QB9uW2vWjUd9KKIZF3EC7DuYdQu4wOrPLqeD5IpWPt4zBA+1aKFBR09TwMyo oBXp2UBmDfZffpp6khrwW1wKC5Lwzu4rv0cKLJRMYaYG+aog02uvHyu4a6rQ/tQ0Akjs caTP61tleZJkUJsXycOOlhIAVEmgNySbqDqPrYlTO4KKuu9RhpG+0oSVDl0an5B3hLYT 6ly/epKKcgglA2ntSWfy6Qeyt/VJlhvCJinGMTWjHsrkaZZUwAeN/GPYHegDzFmJX/sU 29UYgILiuds2zGQHFSL/F53l8rrCXAekSYa/bKPxDMv9nZ7VEXqv/mILlnwdXkSweft2 Tlkg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30058-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30058-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id b16-20020a056402351000b0056bdd10c12csi2708468edd.421.2024.04.19.15.58.43 for ; Fri, 19 Apr 2024 15:58:43 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30058-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30058-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30058-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 32575 invoked by uid 550); 19 Apr 2024 22:58:25 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 32399 invoked from network); 19 Apr 2024 19:01:45 -0000 Date: Fri, 19 Apr 2024 12:01:36 -0700 From: nightmare.yeah27@aceecat.org To: oss-security@lists.openwall.com Message-ID: Mail-Followup-To: oss-security@lists.openwall.com References: <20240414190855.GA12716@openwall.com> <354b913bc1c154c1e3a2fc34ed8ed6b0d4641f11.camel@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <354b913bc1c154c1e3a2fc34ed8ed6b0d4641f11.camel@canonical.com> Subject: [oss-security] Re: Linux: Disabling network namespaces On Wed, Apr 17, 2024 at 09:52:10AM GMT, Georgia Garcia wrote: > I just wanted to add that in the Ubuntu Noble Numbat release we are > using AppArmor to restrict unprivileged user namespaces. > Applications that don't have an AppArmor profile will use a default > profile which denies the use of capabilities within the user > namespace. Applications that need to use capabilities will have to > be confined by a profile. Since we understand that creating an > AppArmor profile might not be a trivial task for large programs, we > introduced the "unconfined" flag which makes the profile act as if > it were unconfined from the perspective of AppArmor, allowing all > operations. > There are more details here: > https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-13 I wonder if this (at least the kernel part of it) is already in the latest PopOS rolling updates? I see some nodes in /proc/sys/kernel that look very related. -- Ian