Re: bubblewrap: needs transition to non-setuid to accompany linux/5.10.x
Am Mon, Dec 21, 2020 at 06:55:36PM +0000 schrieb Simon McVittie:
> Package: bubblewrap
> Version: 0.4.1-1
> Severity: important
> Tags: security
> X-Debbugs-Cc: debian-kernel@lists.debian.org, team@security.debian.org
> The simplest and most robust thing would be for bubblewrap to depend on
> procps, and ship a file /usr/lib/sysctl.d/50-bubblewrap.conf containing:
>
> kernel.unprivileged_userns_clone=1
Why is this needed, given that anyone running a default bullseye kernel will have
that setting by default? Is this for the upgrade case before someone has rebooted
into the new kernel?
I would keep it simple: Make bubblewrap unconditionally depend on
unprivileged_userns_clone=1 and bail out with an error message if that's not the case.
There's a fair number of non-server use cases where it makes sense to disable
unprivileged user namespaces, but it seems like a fair tradeoff for bubblewrap
to simply depend on them being available.
Cheers,
Moritz
Reply to: