FS#62990 - [linux-zen][linux-lts] CONFIG_USER_NS_UNPRIVILEGED is not set, breaks BubbleWrap and Flatpak

Attached to Project: Arch Linux
Opened by Britt Yazel (brittyazel) - Monday, 24 June 2019, 07:25 GMT
Last edited by Jan Alexander Steffens (heftig) - Monday, 24 June 2019, 11:31 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Andreas Radke (AndyRTR)
Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

In the main kernel, CONFIG_USER_NS_UNPRIVILEGED has been set to "y", whereas in Linux-Zen it has not. This wasn't an issue until Barthalion updated Bubblewrap with "--with-priv-mode=none" which essentially breaks Flatpak without manual user correction.

Is this intentional?
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Monday, 24 June 2019, 11:31 GMT
Reason for closing:  Fixed
Additional comments about closing:  linux-lts 4.19.55-2
linux-zen 5.1.14.zen1-2
Comment by Jan Alexander Steffens (heftig) - Monday, 24 June 2019, 07:36 GMT
No, it's not. Fixing -zen.
Comment by David (Marzal) - Monday, 24 June 2019, 08:06 GMT
linux-hardened has also no CONFIG_USER_NS_UNPRIVILEGED defined.

It is safer to enable CONFIG_USER_NS_UNPRIVILEGED than just revert the "--with-priv-mode=none" to "--with-priv-mode=setuid" ?

Or there are other considerations to prefer having "--with-priv-mode=none" on Bubblewrap and CONFIG_USER_NS_UNPRIVILEGED enabled in the kernels
Comment by Jan Alexander Steffens (heftig) - Monday, 24 June 2019, 08:29 GMT
If bwrap is setuid, glibc will sanitize its environment. This makes it impossible to pass e.g. TMPDIR into the sandbox without a helper script on the other side.
Comment by Jan Alexander Steffens (heftig) - Monday, 24 June 2019, 08:30 GMT
https://github.com/flatpak/flatpak/issues/2641

Loading...