On 02/02/2017 10:29 AM, sivmu wrote:
> Am 02.02.2017 um 11:28 schrieb Daniel Micay via arch-general:
>> On Thu, 2017-02-02 at 02:40 +0100, sivmu wrote:
>>> Am 01.02.2017 um 21:21 schrieb Daniel Micay via arch-general:
>> it's a nearly useless feature.
>
> That's a baseless claim, that
Op 2 feb. 2017 16:06 schreef "Francisco Barbee via arch-general" <
arch-general@archlinux.org>:
So what's your alternatives/setup usable on Arch
(not android, not ChromeOS)? We heave disabled
SElinux, disabled Apparmor, disabled user
namespaces, PIE not enabled by default and only
partial relro.
On Thu, 2017-02-02 at 19:32 +0200, Francisco Barbee wrote:
>
> So your advice for now would be to use grsecurity
> kernel and forget all those jails and namespaces
> until someone figure out proper security solution?
No, the advice is to learn what you are trying to defend against, instead of
was
On Thu, 2017-02-02 at 19:32 +0200, Francisco Barbee wrote:
>
> So your advice for now would be to use grsecurity
> kernel and forget all those jails and namespaces
> until someone figure out proper security solution?
I never said that...
It simply doesn't make sense to base application sandboxes
Am 02.02.2017 um 17:45 schrieb Daniel Micay via arch-general:
> SubgraphOS doesn't use user namespaces.
It also is not a lightweight solution that compares to the tools in
question for that matter. But I get your point.
>> I was under the impression that all
>> namespaces were enabled by defau
- Reply to message -
Subject: Re: [arch-general] user namespaces
Date: 2 February 2017 at 18:22:36
From: "Daniel Micay"
To: "General Discussion about Arch Linux"
:
> On Thu, 2017-02-02 at 17:06 +0200, Francisco
Barbee via arch-general
> wrote:
>> So what&
On Thu, 02 Feb 2017 11:49:38 -0500, Daniel Micay via arch-general wrote:
>On Thu, 2017-02-02 at 17:39 +0100, Ralf Mardorf wrote:
>> On Thu, 02 Feb 2017 11:22:28 -0500, Daniel Micay via arch-general
>> wrote:
>> > The reason for SELinux and AppArmor not being enabled for linux or
>> > linux-grsec
On Thu, 2017-02-02 at 17:39 +0100, Ralf Mardorf wrote:
> On Thu, 02 Feb 2017 11:22:28 -0500, Daniel Micay via arch-general
> wrote:
> > The reason for SELinux and AppArmor not being enabled for linux or
> > linux-grsec has to do with audit. If people were willing to do a bit
> > of work, all of the
On Thu, 2017-02-02 at 16:29 +0100, sivmu wrote:
>
> Am 02.02.2017 um 11:28 schrieb Daniel Micay via arch-general:
> > On Thu, 2017-02-02 at 02:40 +0100, sivmu wrote:
> > >
> > > Am 01.02.2017 um 21:21 schrieb Daniel Micay via arch-general:
> > > > > > it's a nearly useless feature.
> > > > >
>
On Thu, 02 Feb 2017 11:22:28 -0500, Daniel Micay via arch-general wrote:
>The reason for SELinux and AppArmor not being enabled for linux or
>linux-grsec has to do with audit. If people were willing to do a bit
>of work, all of the MAC implementations rather than only grsecurity
>RBAC and TOMOYO co
On Thu, 2017-02-02 at 17:06 +0200, Francisco Barbee via arch-general
wrote:
> So what's your alternatives/setup usable on Arch
> (not android, not ChromeOS)? We heave disabled
> SElinux, disabled Apparmor, disabled user
> namespaces, PIE not enabled by default and only
> partial relro. What's left
On Thu, 2 Feb 2017 16:29:52 +0100, sivmu wrote:
>Is there any chance to get the arch main kernel to use such a patch for
>privileged user namespaces like with grsec?
Hi,
you could provide the kernel by the AUR and see how many votes it gets.
Note "linux-grsec" is provided by "Community" and "linu
Am 02.02.2017 um 11:28 schrieb Daniel Micay via arch-general:
> On Thu, 2017-02-02 at 02:40 +0100, sivmu wrote:
>>
>> Am 01.02.2017 um 21:21 schrieb Daniel Micay via arch-general:
> it's a nearly useless feature.
That's a baseless claim, that was already proved wrong in my first
>>
So what's your alternatives/setup usable on Arch
(not android, not ChromeOS)? We heave disabled
SElinux, disabled Apparmor, disabled user
namespaces, PIE not enabled by default and only
partial relro. What's left then? Swimming naked?
On Thu, 2017-02-02 at 02:40 +0100, sivmu wrote:
>
> Am 01.02.2017 um 21:21 schrieb Daniel Micay via arch-general:
> > > > it's a nearly useless feature.
> > >
> > > That's a baseless claim, that was already proved wrong in my first
> > > post
> > > by the many applications that use this feature.
On Wed, 1 Feb 2017 13:16:12 -0700, Leonid Isaev wrote:
>So, why don't you just build your own kernel? It takes only 20 mins...
I agree that users should build the kernel on their own, if they want
special features, but on many old machines it takes much longer to build
a kernel based on a default
On Thu, 2 Feb 2017 05:13:46 +0100
sivmu wrote:
> Am 02.02.2017 um 05:10 schrieb Maxwell Anselm via arch-general:
> >>
> >> All those distros, everyone except arch has decided at some point to no
> >> longer restrict the use of unprivileged user namespaces.
> >>
> >
> > In no way whatsoever doe
Am 02.02.2017 um 05:10 schrieb Maxwell Anselm via arch-general:
>>
>> All those distros, everyone except arch has decided at some point to no
>> longer restrict the use of unprivileged user namespaces.
>>
>
> In no way whatsoever does Arch restrict the use of unprivileged user
> namespaces. Rebu
>
> All those distros, everyone except arch has decided at some point to no
> longer restrict the use of unprivileged user namespaces.
>
In no way whatsoever does Arch restrict the use of unprivileged user
namespaces. Rebuilding your kernel with them enabled is a trivial task for
any user familiar
Am 01.02.2017 um 21:21 schrieb Daniel Micay via arch-general:
>>> it's a nearly useless feature.
>>
>> That's a baseless claim, that was already proved wrong in my first
>> post
>> by the many applications that use this feature.
>
> That doesn't demonstrate that it's useful relative to the alte
As somebody with no actual knowledge of the details you guys are
arguing over, but it seems to me OP has yet to learn that a simpler
and more secure environment can only be achieved by using fewer and
powerful components instead of many useless ones. Okay, there might be
a point from which the amou
On Wed, 2017-02-01 at 19:51 +0100, sivmu wrote:
>
> Am 01.02.2017 um 07:20 schrieb Daniel Micay via arch-general:
> > On Wed, 2017-02-01 at 00:18 +0100, sivmu wrote:
> > > Summary:
> > >
> > > Arch Linux is one of the few, if not the only distribution that
> > > still
> > > disables or restricts
On Wed, Feb 01, 2017 at 07:51:49PM +0100, sivmu wrote:
> The people responsible for linux distributions like debian, red hat and
> pretty much all other distros, as well as many developers of sandboxing
> applications including the tails and chromium people all believe this
> feature is a useful to
Am 01.02.2017 um 07:20 schrieb Daniel Micay via arch-general:
> On Wed, 2017-02-01 at 00:18 +0100, sivmu wrote:
>> Summary:
>>
>> Arch Linux is one of the few, if not the only distribution that still
>> disables or restricts the use of unprivileged user namespaces, a
>> feature
>> that is used by
On Wed, Feb 01, 2017 at 02:45:46AM -0500, Daniel Micay wrote:
> Application containers don't have a use for the user namespace quasi
> root and no one really needs the half baked uid/gid mapping feature.
> There's no real reason for stuff being done that way beyond desktop
> Linux having the diseas
On Wed, 2017-02-01 at 00:21 -0700, Leonid Isaev wrote:
> On Wed, Feb 01, 2017 at 01:20:41AM -0500, Daniel Micay via arch-
> general wrote:
> > On Wed, 2017-02-01 at 00:18 +0100, sivmu wrote:
> > > Summary:
> > >
> > > Arch Linux is one of the few, if not the only distribution that
> > > still
> >
On Wed, Feb 01, 2017 at 01:20:41AM -0500, Daniel Micay via arch-general wrote:
> On Wed, 2017-02-01 at 00:18 +0100, sivmu wrote:
> > Summary:
> >
> > Arch Linux is one of the few, if not the only distribution that still
> > disables or restricts the use of unprivileged user namespaces, a
> > featu
Also worth noting that one of the first thing any sandbox based on user
namespaces will do is *disabling* user namespaces. The programs using
them acknowledge them to be a huge security problem. It doesn't work out
well when only a subset of processes are running in that container env.
The only sa
So, why don't you compile your own kernel?
Using abs and changing the config-file is the only thing you'd have to do.
On Wed, 2017-02-01 at 00:18 +0100, sivmu wrote:
> Summary:
>
> Arch Linux is one of the few, if not the only distribution that still
> disables or restricts the use of unprivileged user namespaces, a
> feature
> that is used by many applications and containers to provide secure
> sandboxing.
> The
Summary:
Arch Linux is one of the few, if not the only distribution that still
disables or restricts the use of unprivileged user namespaces, a feature
that is used by many applications and containers to provide secure
sandboxing.
There have been request to turn this feature on since Linux 3.13 (i
31 matches
Mail list logo
