-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 2020-05-06 at 21:56 -0400, Aaron M. Ucko wrote: > Yves-Alexis Perez <cor...@debian.org> writes: > > kernel.unprivileged_userns_clone is already set to 0 by default so it's > > not > > really needed here. > > Hence "explicitly", for the sake of anyone running a custom kernel that > accidentally wound up with a lax default.
Yes indeed, that's a good point. > > I'm not a fan of lifting the max_user_namespace restriction here since > > it's > > there as runtime hardening. I can understand the pain with PrivateUsers > > but I > > still don't think exposing root-designed kernel code to unprivileged users > > is > > a good idea. > > Sure, and I don't advocate for lifting unprivileged_userns_clone, but > AFAICT allowing root to create user namespaces doesn't raise nearly so > many concerns, and can even help security insofar as it allows for > better isolation. Yes but once a user namespace has been created (by root or a simple user), anyone on that namespace can in turn create new users namespace. I considered raising the limit to 1 (so root can create a user namespace and that's it) but it's not enough for PrivateUsers, it needs 2. > > > hardening-runtime is not installed by default so admins installing it are > > supposed to understand what they do. They can also locally override the > > restriction if needed (for example set it to 1 or 2). > > Fair enough, and I may go this route. It's perhaps unfortunate that > there's no clean way to keep the default setting of this limit alongside > 10-hardening.conf's other settings, but the default looks like massive > overkill anyway, so I suppose that's no great loss. I'm unsure what you mean here. Overriding it is a simple as adding a /etc/sysctl.d/10-hardening-override.conf with user.max_user_namespace=1 (or 2, 3 etc.). You don't have to provide anything else or copy any other setting from /usr/lib/sysctl.d/10-hardening.conf > - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl60B4cACgkQ3rYcyPpX RFuB8wf+Kr2jM4YLEai2IrwTE/TElu+Tjt6EDieZCj39Lkh/iWxwFfpwT9g9Hwnc 1uc5jyVaFItaOOqnsdTjrrvTIecQKiIx0UqTiF8tITHeDPyPvaDSdrOmOw4U7b9u VHFs4myUlO2kjrNU+uyEUaFd17VE5+GhQ5rHd3I1Qf2/S72Y7oN7Vr/X57l7nPud elR3k6Zu3zDeVhRbleJ9yjNeR76jpwHbW/dgM38oc/4V+tZ8diiWfd0GXp3Cn1Nu 9DtlUr+jRd9A0fam2E3iBd2kxWZK572nSxUOiMUG8wdE7OUNIRUlgKj0bYukrA4S ObMt7uBqxWeeams4pXO7yVtXloWjJQ== =AdZc -----END PGP SIGNATURE-----
