On Mon, Apr 15, 2024 at 11:33:32PM +0000, Jordan Glover wrote:
> On Monday, April 15th, 2024 at 5:47 PM, Simon McVittie <s...@debian.org> 
> wrote:
> 
> > On Mon, 15 Apr 2024 at 17:13:09 +0200, Solar Designer wrote:
> > 
> > I am not a kernel developer, so this is second-hand information; but I
> > believe the implementation of kernel.unprivileged_userns_clone used in
> > Debian (and subsequently copied from Debian by various other distros)
> > is derived from patches that were already proposed and rejected upstream,
> > so the feeling was that trying again to upstream that feature would be a
> > waste of time and upstream goodwill, because it would just get rejected
> > again by the same kernel maintainer.
> > 
> 
> Perhaps it's best to link old article covering the situation back then:
> https://lwn.net/Articles/673597/
> 
> And yes, current kernel maintainers are biggest proponents of unpriv
> userns so any restriction is rather impossible sell.

Landlock [1] could be extended to control user namespace creation the
same way we will be able to deny socket creation [2].  I'll definitely
consider any relevant sandboxing feature such as user namespace and
fine-grained capability control (that cannot already be done with
existing kernel features).  Contributions are welcome!

[1] https://docs.kernel.org/userspace-api/landlock.html
[2] https://github.com/landlock-lsm/linux/issues/6

Regards,
 Mickaël

Reply via email to