Package: hardening-runtime Version: 2 Severity: normal systemd services specifying PrivateUsers=yes (upower for a while, now also uuidd from uuid-runtime) have been failing with
Failed to set up user namespacing: No space left on device which I eventually tracked down to this package's specification of user.max_user_namespaces = 0 in /usr/lib/sysctl.d/10-hardening.conf. Could you please consider lifting this restriction, or at least blocking user namespaces only for unprivileged users via an explicit kernel.unprivileged_userns_clone = 0 setting? Thanks! -- System Information: Debian Release: bullseye/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (300, 'unstable-debug'), (300, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386, x32 Kernel: Linux 5.6.0-1-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- no debconf information
