On Sun, Apr 14, 2024 at 09:08:55PM +0200, Solar Designer wrote: > Hi, > > Many Linux kernel vulnerabilities including the recently exploited > Netfilter CVE-2024-1086 require CAP_NET_ADMIN in a namespace, yet a > typically recommended mitigation is to disable user namespaces (not just > network namespaces). > > Further, while on Debian/Ubuntu it is possible to disable just > unprivileged user namespaces with the Debian-specific sysctl > kernel.unprivileged_userns_clone=0, on other distros we'd have to use > user.max_user_namespaces=0, which (unnecessarily) prevents starting of > containers even by root. > > Fredrik Nystrom on Rocky Linux Mattermost channel Security pointed out > that it is reasonable to disable just network namespaces with > user.max_net_namespaces=0 instead, and that the negative effects of > doing so and how to cope with them are well-documented for Apptainer, > with its documentation also covering Docker, Podman, and systemd: > > https://apptainer.org/docs/admin/latest/user_namespace.html#disabling-network-namespaces > > I hope some of us in here find this useful, and maybe we (including > distros) will start recommending this milder mitigation when sufficient.
Is this still compatible with Firefox? IMO an ideal solution would be: 1. Provide a privileged helper daemon that sets up containers based on user requirements. 2. Port programs that use containers to use this helper. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
signature.asc
Description: PGP signature
