FS#63295 - [linux-hardened] CONFIG_USER_NS_UNPRIVILEGED is undefined, which causes flatpak to break

Attached to Project: Arch Linux
Opened by Eternal (eternal) - Saturday, 27 July 2019, 19:23 GMT
Last edited by Eli Schwartz (eschwartz) - Tuesday, 20 August 2019, 01:54 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


Description: CONFIG_USER_NS_UNPRIVILEGED is not defined in linux-hardened, which causes flatpak to fail with bubblewrap 0.3.3-2. Running an application on flatpak results in the following error message:

bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'

bubblewrap 0.3.3-2 was updated with the configuration "--with-priv-mode=none", which assumes that the kernel has CONFIG_USER_NS_UNPRIVILEGED set to "y" as in the main linux package. Task 62990 was filed for bubblewrap, which resulted in linux-lts 4.1.55-2 and linux-zen 5.1.14.zen1-2 setting CONFIG_USER_NS_UNPRIVILEGED to "y". linux-hardened should do the same.


Additional info:
* Package versions: linux-hardened 5.1.19.a-1, flatpak 1.4.2-1, bubblewrap 0.3.3-2

Steps to reproduce:
* With any flatpak application installed, run the application using: flatpak run <application name>
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Tuesday, 20 August 2019, 01:54 GMT
Reason for closing:  Won't implement
Additional comments about closing:  The correct solution for the hardened kernel is to be able to run bubblewrap as a hardened application, which is now available via bubblewrap-suid.

OP agrees and has withdrawn request.
Comment by Eternal (eternal) - Saturday, 27 July 2019, 19:27 GMT Comment by Levente Polyak (anthraxx) - Saturday, 27 July 2019, 19:35 GMT
hardened will not get unprivileged userns, instead there will be a bubblewrap with suid to get back old behavior.
Comment by Eternal (eternal) - Saturday, 27 July 2019, 19:46 GMT
Thanks for the fast response. Is it possible to change the title of this task to [bubblewrap], or should I file a new one?
Comment by Eli Schwartz (eschwartz) - Sunday, 28 July 2019, 07:57 GMT
It's worth noting that making linux-hardened become... linux-not-hardened-anymore, doesn't make much sense to begin with. If you don't want a hardened kernel, just use core/linux... If you want to use a hardened kernel, you should be considering ways to to keep it so.
Comment by Eternal (eternal) - Tuesday, 30 July 2019, 05:50 GMT
You're completely right. I've requested closure of this task, and I'll see if bubblewrap can change anything on their end.

bubblewrap task:
Comment by Eternal (eternal) - Wednesday, 31 July 2019, 10:36 GMT