Getting userns enabled in vendor kernels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The user namespace work gave us two new features

 - Ability to set UID/GID mappings between containers & host
 - Ability for unprivileged users to create namespaces

The first of these features is really critical to be able to make the
use of LXC secure using DAC, rather than having to rely on the use of
MAC (SELinux/AppArmour) protection.

The second feature is a nice, but it is not critical in the same way,
since it is all about opening up new use cases, rather than securing
existing use cases.

Both of these features are under the same CONFIG_USER_NS Kconfig setting,
so you can't get the former without also getting the latter.

This is a problem because distro kernel maintainers are rejecting requests
to enable CONFIG_USER_NS over concern that it significantly expands the
attack surface accessible to unprivileged users. Fedora, RHEL & Arch Linux
have all rejected enabling CONFIG_USER_NS as it is due to this concern.

This sucks, because there's a really pressing need to make the ID mapping
feature available, while there isn't much sense of urgency over allowing
unprivileged users to create namespaces.

In Fedora I managed to get agreement to enable CONFIG_USER_NS provided
that the following patch is reverted [1]

  commit 5eaf563e53294d6696e651466697eb9d491f3946
  Author: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
  Date:   Mon Nov 21 17:22:31 2011 -0800

    userns: Allow unprivileged users to create user namespaces.

If other distros have similar demands, I'm wondering if it is worth
making the above patch be conditional on a new Kconfig parameter like
CONFIG_USER_NS_UNPRIVILEGED ?

Arch Linux maintainers suggested that this patch be made conditional
on a sysctl setting, defaulting to 0, so those who want the unprivileged
users to create namespaces have to explicitly opt-in at runtime[2].

Regards,
Daniel

[1] https://bugzilla.redhat.com/show_bug.cgi?id=917708
[2] https://bugs.archlinux.org/task/36969
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux