FS#63295 - [linux-hardened] CONFIG_USER_NS_UNPRIVILEGED is undefined, which causes flatpak to break

Attached to Project: Arch Linux
Opened by Eternal (eternal) - Saturday, 27 July 2019, 19:23 GMT
Last edited by Eli Schwartz (eschwartz) - Tuesday, 20 August 2019, 01:54 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description: CONFIG_USER_NS_UNPRIVILEGED is not defined in linux-hardened, which causes flatpak to fail with bubblewrap 0.3.3-2. Running an application on flatpak results in the following error message:

bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'

bubblewrap 0.3.3-2 was updated with the configuration "--with-priv-mode=none", which assumes that the kernel has CONFIG_USER_NS_UNPRIVILEGED set to "y" as in the main linux package. Task 62990 was filed for bubblewrap, which resulted in linux-lts 4.1.55-2 and linux-zen 5.1.14.zen1-2 setting CONFIG_USER_NS_UNPRIVILEGED to "y". linux-hardened should do the same.

https://bugs.archlinux.org/task/62990

Additional info:
* Package versions: linux-hardened 5.1.19.a-1, flatpak 1.4.2-1, bubblewrap 0.3.3-2

Steps to reproduce:
* With any flatpak application installed, run the application using: flatpak run <application name>
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Tuesday, 20 August 2019, 01:54 GMT
Reason for closing:  Won't implement
Additional comments about closing:  The correct solution for the hardened kernel is to be able to run bubblewrap as a hardened application, which is now available via bubblewrap-suid.

OP agrees and has withdrawn request.
Comment by Eternal (eternal) - Saturday, 27 July 2019, 19:27 GMT
bubblewrap 0.3.3-2 changes:
https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/bubblewrap&id=bf828975d4cf5654af7fabe0452e323636191748

linux-lts 4.19.55-2 changes:
https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/linux-lts&id=9560688a329dd84dbe8fcd54fc347548adc31814

linux-zen 5.1.14.zen1-2 changes:
https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/linux-zen&id=46664b461d444eceedb0744923eb471c91fed172
Comment by Levente Polyak (anthraxx) - Saturday, 27 July 2019, 19:35 GMT
hardened will not get unprivileged userns, instead there will be a bubblewrap with suid to get back old behavior.
Comment by Eternal (eternal) - Saturday, 27 July 2019, 19:46 GMT
Thanks for the fast response. Is it possible to change the title of this task to [bubblewrap], or should I file a new one?
Comment by Eli Schwartz (eschwartz) - Sunday, 28 July 2019, 07:57 GMT
It's worth noting that making linux-hardened become... linux-not-hardened-anymore, doesn't make much sense to begin with. If you don't want a hardened kernel, just use core/linux... If you want to use a hardened kernel, you should be considering ways to to keep it so.
Comment by Eternal (eternal) - Tuesday, 30 July 2019, 05:50 GMT
You're completely right. I've requested closure of this task, and I'll see if bubblewrap can change anything on their end.

bubblewrap task:
https://bugs.archlinux.org/task/63316
Comment by Eternal (eternal) - Wednesday, 31 July 2019, 10:36 GMT
The issue has been addressed in bubblewrap:

https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/bubblewrap&id=d250b66d6652171b8161458e67db7fda0f589152

Loading...