[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: Linux: Disabling network namespaces
From:       nightmare.yeah27 () aceecat ! org
Date:       2024-04-19 19:01:36
Message-ID: Hz11pVeI7utfT3Od () aceecat ! org
[Download RAW message or body]

On Wed, Apr 17, 2024 at 09:52:10AM GMT, Georgia Garcia wrote:

> I just wanted to add that in the Ubuntu Noble Numbat release we are
> using AppArmor to restrict unprivileged user namespaces.

> Applications that don't have an AppArmor profile will use a default
> profile which denies the use of capabilities within the user
> namespace.  Applications that need to use capabilities will have to
> be confined by a profile. Since we understand that creating an
> AppArmor profile might not be a trivial task for large programs, we
> introduced the "unconfined" flag which makes the profile act as if
> it were unconfined from the perspective of AppArmor, allowing all
> operations.

> There are more details here:

> https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-13

I wonder if this (at least the kernel part of it) is already in the
latest PopOS rolling updates? I see some nodes in /proc/sys/kernel
that look very related.

-- 
Ian
[prev in list] [next in list] [prev in thread] [next in thread]