> On Apr 17, 2019, at 5:19 AM, Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > * Andy Lutomirski: > >> I would personally *love* it if distros started setting no_new_privs >> for basically all processes. > > Wouldn't no_new_privs inhibit all security transitions, including those > that reduce privileges? And therefore effectively reduce security? In principle, you still can reduce privileges with no_new_privs. SELinux has a whole mechanism for privilege-reducing transitions on exec that works in no_new_privs mode. Also, all the traditional privilege dropping techniques work — setresuid(), unshare(), etc are all unaffected. > >> There seems to be some demand to be able to do large > parts of container setup using posix_spawn, so we'll probably add > support for things like writing to arbitrary files eventually. And of > course, proper error reporting, so that you can figure out which file > creation action failed. > ISTM the way to handle this is to have a way to make a container, set it up, and then clone/spawn into it. The current unshare() API is severely awkward. Maybe the new better kernel spawn API shouldn’t support unshare-like semantics at all and should instead work like setns().