On Tue, May 30, 2023 at 05:58:48PM -0400, Paul Moore wrote: > On Tue, May 30, 2023 at 2:50 PM ~akihirosuda <akihirosuda@xxxxxxxxx> wrote: > > > > This sysctl limits groups who can create a new userns without > > CAP_SYS_ADMIN in the current userns, so as to mitigate potential kernel > > vulnerabilities around userns. > > > > The sysctl value format is same as "net.ipv4.ping_group_range". > > > > To disable creating new unprivileged userns, set the sysctl value to "1 > > 0" in the initial userns. > > > > To allow everyone to create new userns, set the sysctl value to "0 > > 4294967294". This is the default value. > > > > This sysctl replaces "kernel.unprivileged_userns_clone" that is found in > > Ubuntu [1] and Debian GNU/Linux. > > > > Link: https://git.launchpad.net/~ubuntu- > > kernel/ubuntu/+source/linux/+git/jammy/commit?id=3422764 [1] > > Given the challenges around adding access controls to userns > operations, have you considered using the LSM support that was added > upstream last year? The relevant LSM hook can be found in commit > 7cd4c5c2101c ("security, lsm: Introduce security_create_user_ns()"), > and although only SELinux currently provides an access control > implementation, there is no reason you couldn't add support for your > favorite LSM, or even just a simple BPF LSM to enforce the group > controls as you've described them here. Yes. Please, no more sysctls...
