-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 2020-05-07 at 15:05 +0200, Yves-Alexis Perez wrote: > On Wed, 2020-05-06 at 21:56 -0400, Aaron M. Ucko wrote: > > Yves-Alexis Perez <[email protected]> writes: > > > kernel.unprivileged_userns_clone is already set to 0 by default so it's > > > not > > > really needed here. > > > > Hence "explicitly", for the sake of anyone running a custom kernel that > > accidentally wound up with a lax default. > > Yes indeed, that's a good point.
Actually no, it's not. kernel.unprivileged_userns_clone comes from a Debian specific patch which is not mainline: - - a non-Debian kernel won't have it (and the sysctl will result in an error) - - a rebuilt Debian kernel will have it and set to 0 by default - - a rebuild Debian kernel with the patch removed or set to 1 by default would have been done explicitely, so I don't see the use of the sysctl either. All in all I don't think it's worth changing the file (there's already a comment in there). Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl60CK0ACgkQ3rYcyPpX RFs2WAf/Ua5JUgUHyggwMTFiZ7DDgY8CHAFV8H+QnhmQIY9gEE6ILXEqzHt8SWfo 62zwfjUZ3MGhnPuJG9c7Mvy4Sl+I7TUwT9PMubKkRK1jqckTVFJVA3J2VSI9CrB0 Ph9pfwMbvlXE6UJNuH+nPYqhA3k0w6n1kXr9S6lxVbUdHKzK74W7Bg3l7dOUhzkT ZD1dBm6PT4x1drpkfs6fm2qP4CPAK0yoBu4ePnCo+lyq66FgPU4BLjQk1swqN4/9 3g5TtVGVyLdakZa6yCUJ0n17pvjxHsSbU8HuDhz8rR7a6r4/yfYDkuqigZcEoITF ir3d6DWTzustbNztXbELgubTizGPUg== =JfRx -----END PGP SIGNATURE-----
