[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: Linux: Disabling network namespaces
From: nightmare.yeah27 () aceecat ! org
Date: 2024-04-19 19:01:36
Message-ID: Hz11pVeI7utfT3Od () aceecat ! org
[Download RAW message or body]
On Wed, Apr 17, 2024 at 09:52:10AM GMT, Georgia Garcia wrote:
> I just wanted to add that in the Ubuntu Noble Numbat release we are
> using AppArmor to restrict unprivileged user namespaces.
> Applications that don't have an AppArmor profile will use a default
> profile which denies the use of capabilities within the user
> namespace. Applications that need to use capabilities will have to
> be confined by a profile. Since we understand that creating an
> AppArmor profile might not be a trivial task for large programs, we
> introduced the "unconfined" flag which makes the profile act as if
> it were unconfined from the perspective of AppArmor, allowing all
> operations.
> There are more details here:
> https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-13
I wonder if this (at least the kernel part of it) is already in the
latest PopOS rolling updates? I see some nodes in /proc/sys/kernel
that look very related.
--
Ian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic