oss-sec mailing list archives
Re: Linux: Disabling network namespaces
From: Simon McVittie <smcv () debian org>
Date: Fri, 19 Apr 2024 18:25:02 +0100
On Fri, 19 Apr 2024 at 17:44:35 +0200, Solar Designer wrote:
I guess systemd's PrivateNetwork services generally don't configure networking (they just give up network access), so would continue to work even with capabilities disallowed?
I can't speak for systemd's PrivateNetwork services, but for the bubblewrap use-cases that I described elsewhere in the thread (Flatpak, libgnome-desktop etc.), `bwrap --unshare-net` does bring up the "lo" interface with address 127.0.0.1 and a route to 127.0.0.0/8 before it relinquishes its capabilities and execs the sandboxed program. Presumably this is because it's common for ordinary user-space applications to assume that they can "talk to themselves" via loopback, even if there is no external connectivity. smcv
Current thread:
- Linux: Disabling network namespaces Solar Designer (Apr 14)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 15)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 15)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 15)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 16)
- Re: Linux: Disabling network namespaces Mickaël Salaün (May 17)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 15)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 15)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 19)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 19)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 20)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 20)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 21)
- Re: Linux: Disabling network namespaces Priedhorsky, Reid (Apr 22)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 21)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 22)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 23)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 23)