On Mon, Apr 15, 2024 at 11:33:32PM +0000, Jordan Glover wrote: > On Monday, April 15th, 2024 at 5:47 PM, Simon McVittie <s...@debian.org> > wrote: > > > On Mon, 15 Apr 2024 at 17:13:09 +0200, Solar Designer wrote: > > > > I am not a kernel developer, so this is second-hand information; but I > > believe the implementation of kernel.unprivileged_userns_clone used in > > Debian (and subsequently copied from Debian by various other distros) > > is derived from patches that were already proposed and rejected upstream, > > so the feeling was that trying again to upstream that feature would be a > > waste of time and upstream goodwill, because it would just get rejected > > again by the same kernel maintainer. > > > > Perhaps it's best to link old article covering the situation back then: > https://lwn.net/Articles/673597/ > > And yes, current kernel maintainers are biggest proponents of unpriv > userns so any restriction is rather impossible sell.
Landlock [1] could be extended to control user namespace creation the same way we will be able to deny socket creation [2]. I'll definitely consider any relevant sandboxing feature such as user namespace and fine-grained capability control (that cannot already be done with existing kernel features). Contributions are welcome! [1] https://docs.kernel.org/userspace-api/landlock.html [2] https://github.com/landlock-lsm/linux/issues/6 Regards, Mickaël