[arch-general] user namespaces

Daniel Micay danielmicay at gmail.com
Thu Feb 2 18:33:31 UTC 2017


On Thu, 2017-02-02 at 19:32 +0200, Francisco Barbee wrote:
> 
> So your advice for now would be to use grsecurity
> kernel and forget all those jails and namespaces
> until someone figure out proper security solution?

I never said that...

It simply doesn't make sense to base application sandboxes on user
namespaces. That's all. Isolation can be exposed to unprivileged users
without that insanity.

Chromium has the best sandbox available for large applications like
that, and it works fine without user namespaces. The tiny setuid binary
barely adds attack surface vs. the enormous fully privileged attack
surface of user namespaces. The chrome-sandbox binary can be contained
by MAC too, if you use it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: This is a digitally signed message part
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170202/0c004a5b/attachment.asc>


More information about the arch-general mailing list