oss-sec mailing list archives
Re: Linux: Disabling network namespaces
From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Tue, 16 Apr 2024 19:13:50 -0400
On Tue, Apr 16, 2024 at 11:31:43PM +0200, Philippe Cerfon wrote:
Hey. There's even an allegedly "wontfix" bug of mine where I requested that Debian switches back to a secure default and disables user namesapce which have a long history of being exploitable: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012547 Don't think the current hole one will have been the last one. Unfortunately it seems a feature that only a group of people will need is valued more important than keeping users secure. :-(
The problem with disabling unprivileged userns is that in the desktop Linux case it actually causes serious problems, because creating a sandbox is now a privileged operation. IMO Landlock + seccomp is a much better solution for sandboxing, but I don't think it can do everything browsers need yet. For containers, I'm not aware of a good solution right now. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Attachment:
signature.asc
Description:
Current thread:
- Re: Linux: Disabling network namespaces, (continued)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 21)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 22)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 23)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 23)
- Re: Linux: Disabling network namespaces John Johansen (Apr 29)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 21)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 21)
- Re: Re: Linux: Disabling network namespaces John Johansen (Apr 29)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 16)