Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp1023503lqo; Fri, 17 May 2024 08:30:42 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWnwvJd5RDaeuwRG4t5wNMw5uJztg+ZuK2RnAqBwhQnA+xxI0DiZM13CJm/c+DVSqYuScveGlN/NI4Xrt0rYatnUmU/lmtsATTE2aIjuw== X-Google-Smtp-Source: AGHT+IEAoyhZO6yUEuLftFkX8IHfR0NVv7pbbUkanjWOZe4rrsM/6zJVJWFEnl7S1k9eLddhRv1u X-Received: by 2002:a50:aa94:0:b0:572:a198:49c5 with SMTP id 4fb4d7f45d1cf-5734d5be7a2mr13363001a12.16.1715959842470; Fri, 17 May 2024 08:30:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715959842; cv=none; d=google.com; s=arc-20160816; b=qXRJ85t7mE850H7SJdCHPB1dYbMAFi96FDx8er7eBLpiDnuak9nJGYIYfeqq4biFYr KsW0nxGrQZWsGOHcTNvgwB638n2GeVZNQK/LSVKn+uS2aPFeSaDn+qDI66tjNfiNYE54 +8h7HMe/6jKfx9jso9nHqWNFcjGcigfNKH+5ecHrbaHyQOUZaYMqEexCRsufJT0+fSwG tBxsZHYkeAEw1BSQ4kWUWMtS2XAP+bYaz3hDW0pr4zFPRqKlEdj6E7b682H09Dun+ZXf lVWiUhxluNX9DEt2xhFcLfkOHQpzOW8vApvNCu1YXAjLgY9gtdDrcfOmCfIg1vueLcqp Nv3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:cc:to:from:date:dkim-signature :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=EYRU7W2MhX9B38rHiPWcIVZv2TwB4YfIb73lG0Besis=; fh=xeZvDA8WDiaovftjn9Riu6c2RNKh8/mV3YDfNn2gIHg=; b=n97xOAdgr+Mk7UKLia35fT9QTPVak1uqZ3JLF6fvR3w4sYPZNuU30LVJVjwcZfNXza 3/MA5HcQEdp8EUl4oUm61PQsNU7RwgDSM+7BZBRl2+onBlV7f/FsvRxUCnJaRucSlw/F cSRn4D5B35Xn2ltbXzOb5z1Vu3mHzCaT9aefgXfLt+t1g4/RigQL9A+m3kJWlIzeeryt XiyFsBQ0jNT/CySrYkemFsuUifJaeDsbsu9TE8WfILh6EFQHxWvQeI1Mheahe6G0qljG oR6jewL3luk3Zqdnher+tUW0R/sB9Re1016+PMTo+UQbbIQYp/NhVSM50NM2UAHpftdc lbWg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=nNFdsdqD; spf=pass (google.com: domain of oss-security-return-30155-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30155-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id 4fb4d7f45d1cf-5735dedbe10si8280815a12.618.2024.05.17.08.30.42 for ; Fri, 17 May 2024 08:30:42 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30155-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=nNFdsdqD; spf=pass (google.com: domain of oss-security-return-30155-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30155-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 19458 invoked by uid 550); 17 May 2024 15:30:24 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 11599 invoked from network); 17 May 2024 15:25:48 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1715959540; bh=EYRU7W2MhX9B38rHiPWcIVZv2TwB4YfIb73lG0Besis=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=nNFdsdqDckPWZphMwj3KsNALiIc5v6YLHlUO0Ia0U5JVbj6GsBpsozz3/GVusIDDw EO4K1G5U9sOR6e42e7JwHvEEUcMb/S/7yakrWKkJhbA88OkOKIT/UssB7bNfqxV1Ag JeZ1OZaOfIIdzPp0tHoqb6FxCtABCzPFqs2nZpC0= Date: Fri, 17 May 2024 17:25:41 +0200 From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= To: oss-security@lists.openwall.com Cc: =?utf-8?Q?G=C3=BCnther?= Noack Message-ID: <20240517.Eegh1chephap@digikod.net> References: <20240414190855.GA12716@openwall.com> <20240415151309.GA15253@openwall.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Infomaniak-Routing: alpha Subject: Re: [oss-security] Linux: Disabling network namespaces On Mon, Apr 15, 2024 at 11:33:32PM +0000, Jordan Glover wrote: > On Monday, April 15th, 2024 at 5:47 PM, Simon McVittie wrote: > > > On Mon, 15 Apr 2024 at 17:13:09 +0200, Solar Designer wrote: > > > > I am not a kernel developer, so this is second-hand information; but I > > believe the implementation of kernel.unprivileged_userns_clone used in > > Debian (and subsequently copied from Debian by various other distros) > > is derived from patches that were already proposed and rejected upstream, > > so the feeling was that trying again to upstream that feature would be a > > waste of time and upstream goodwill, because it would just get rejected > > again by the same kernel maintainer. > > > > Perhaps it's best to link old article covering the situation back then: > https://lwn.net/Articles/673597/ > > And yes, current kernel maintainers are biggest proponents of unpriv > userns so any restriction is rather impossible sell. Landlock [1] could be extended to control user namespace creation the same way we will be able to deny socket creation [2]. I'll definitely consider any relevant sandboxing feature such as user namespace and fine-grained capability control (that cannot already be done with existing kernel features). Contributions are welcome! [1] https://docs.kernel.org/userspace-api/landlock.html [2] https://github.com/landlock-lsm/linux/issues/6 Regards, Mickaƫl