[arch-general] user namespaces
Francisco Barbee
tifrav at inbox.lv
Thu Feb 2 17:32:21 UTC 2017
----- Reply to message -----
Subject: Re: [arch-general] user namespaces
Date: 2 February 2017 at 18:22:36
From: "Daniel Micay" <danielmicay at gmail.com>
To: "General Discussion about Arch Linux"
<arch-general at archlinux.org>
:
> On Thu, 2017-02-02 at 17:06 +0200, Francisco
Barbee via arch-general
> wrote:
>> So what's your alternatives/setup usable on Arch
>> (not android, not ChromeOS)? We heave disabled
>> SElinux, disabled Apparmor, disabled user
>> namespaces, PIE not enabled by default and only
>> partial relro. What's left then? Swimming naked?
>
> You're venturing totally off-topic here, but
I'll respond anyway.
>
> The intention is to enable PIE by default but no
one is stepping up to
> help Allan with it. There are binutils test
failures that need to be
> triaged, and either fixed or ignored if they are
not real failures.
>
> Arch has a hardened linux-grsec kernel package
which offers multiple MAC
> options enabled. The reason for SELinux and
AppArmor not being enabled
> for linux or linux-grsec has to do with audit.
If people were willing to
> do a bit of work, all of the MAC implementations
rather than only
> grsecurity RBAC and TOMOYO could be available. I
don't see much value in
> a huge amount of choice here anyway. None of it
is particularly relevant
> to sandboxing desktop applications due to X11,
pulseaudio, dbus, etc. In
> theory Wayland was supposed to be forward
progress on that front but it
> depends on the Wayland compositor choosing to
provide a real security
> model.
>
> Unprivileged access to user namespaces is an
anti-security feature, not
> a security feature. User namespaces themselves
offer essentially zero
> value to application containers. The uid/gid
mapping is superfluous when
> using a different approach and it isn't even
properly supported since
> there's so much missing. The distribution would
be significantly less
> secure with them enabled for unprivileged use.
You should be thankful
> that the feature is not exposed by default if
you really care about
> security rather than just being a concern troll.
So your advice for now would be to use grsecurity
kernel and forget all those jails and namespaces
until someone figure out proper security solution?
More information about the arch-general
mailing list