On Sat, 26 Dec 2020 at 19:43:22 +0100, Moritz Mühlenhoff wrote:
> Am Mon, Dec 21, 2020 at 06:55:36PM +0000 schrieb Simon McVittie:
> > The simplest and most robust thing would be for bubblewrap to depend on
> > procps, and ship a file /usr/lib/sysctl.d/50-bubblewrap.conf containing:
> >
> > kernel.unprivileged_userns_clone=1
>
> Why is this needed, given that anyone running a default bullseye kernel will
> have
> that setting by default? Is this for the upgrade case before someone has
> rebooted
> into the new kernel?
For users of testing/unstable who haven't rebooted yet, and for users
of the future stable who boot into the buster kernel as a recovery step
because the bullseye kernel has some regression on their hardware.
> I would keep it simple: Make bubblewrap unconditionally depend on
> unprivileged_userns_clone=1 and bail out with an error message if that's not
> the case.
A non-setuid bubblewrap will do that anyway (although I should patch it to
make the message point to Debian-specific information), but I'm concerned
that non-technical users of Flatpak via a GUI won't see that message,
because flatpak's stderr will end up in the systemd Journal or /dev/null,
leading the user to complain that Flatpak apps don't run and requiring
some round-trips before we discover that they're in this situation.
Other uses of bubblewrap, like libgnome-desktop (sandboxed thumbnailing
for nautilus/eog) could be worse for this than Flatpak, because users
won't necessarily expect basic functionality like that to have anything
to do with namespaces.
I'm keen for this to "just work" because if it doesn't, I don't want
to spend 3 years responding to repeats of the same Flatpak and GNOME
bug report.
smcv
