----- Reply to message ----- Subject: Re: user namespaces Date: 2 February 2017 at 18:22:36 From: "Daniel Micay" <danielmicay@xxxxxxxxx> To: "General Discussion about Arch Linux" <arch-general@xxxxxxxxxxxxx> : > On Thu, 2017-02-02 at 17:06 +0200, Francisco Barbee via arch-general > wrote: >> So what's your alternatives/setup usable on Arch >> (not android, not ChromeOS)? We heave disabled >> SElinux, disabled Apparmor, disabled user >> namespaces, PIE not enabled by default and only >> partial relro. What's left then? Swimming naked? > > You're venturing totally off-topic here, but I'll respond anyway. > > The intention is to enable PIE by default but no one is stepping up to > help Allan with it. There are binutils test failures that need to be > triaged, and either fixed or ignored if they are not real failures. > > Arch has a hardened linux-grsec kernel package which offers multiple MAC > options enabled. The reason for SELinux and AppArmor not being enabled > for linux or linux-grsec has to do with audit. If people were willing to > do a bit of work, all of the MAC implementations rather than only > grsecurity RBAC and TOMOYO could be available. I don't see much value in > a huge amount of choice here anyway. None of it is particularly relevant > to sandboxing desktop applications due to X11, pulseaudio, dbus, etc. In > theory Wayland was supposed to be forward progress on that front but it > depends on the Wayland compositor choosing to provide a real security > model. > > Unprivileged access to user namespaces is an anti-security feature, not > a security feature. User namespaces themselves offer essentially zero > value to application containers. The uid/gid mapping is superfluous when > using a different approach and it isn't even properly supported since > there's so much missing. The distribution would be significantly less > secure with them enabled for unprivileged use. You should be thankful > that the feature is not exposed by default if you really care about > security rather than just being a concern troll. So your advice for now would be to use grsecurity kernel and forget all those jails and namespaces until someone figure out proper security solution?
