[arch-general] [arch-dev-public] linux 3.16 in [testing]
Daniel Micay
danielmicay at gmail.com
Wed Aug 13 19:14:30 EDT 2014
On 13/08/14 01:40 PM, Damjan Georgievski wrote:
>>> anyway. is there a reason this is not enabled now?
>>> all the mainstream distros hae it enabled now Fedora, RHEL/CentOS 7,
>>> Ubuntu and Debian (at least on the backported kernel)
>>
>> I'd think about it, if the feature wasn't entirely useless. Despite the
>> lack of official documentation, I found a document that described how it
>> worked. After reading that document I concluded that the feature is a
>> huge potential security risk with no actual benefit.
>
> What security risk exactly? There was one that I know of, and it was fixed.
A dozen local root exploits based on unprivileged user namespaces have
been disclosed. Fedora and grsecurity patch in a check to prevent
unprivileged use of user namespaces. You can find many with a search
like 'CVE user namespace linux'. The latest vulnerability is only a day
old...
>> If you give me a valid use case for USER_NS, I might reconsider, but
>> every use case I can imagine is crushed by the limitations of the
>> implementation.
>
> The use case is that you don't need root access to start a container.
> I can run Firefox with a limited view to the filesystem for example,
> as a normal user.
> Or limited view to the network, for ex. just ipv4, just ipv6, just vpn.
It's not possible to sandbox an X11 application externally, so Firefox
isn't a good example. The ability to see the contents of every window,
draw arbitrary stuff in the windows, capture every input event without
focus, etc. completely breaks it.
The AppArmor profiles in distributions like Ubuntu for graphical
applications are security theater. There's a reason for the Chromium
renderer sandbox proxying all rendering requests over a pipe. Even an
OpenGL context is too much before dri3, and it's only *theoretically*
possible for dri3 drivers to be secure in that context.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140813/54eb75f6/attachment.asc>
More information about the arch-general
mailing list