profiles: clarify userns comments & fix comment on electron.profile #5304
Conversation
|
@pirate486743186 commented on Aug 7:
@pirate486743186 commented on Aug 9:
Makes sense to me. Feel free to submit it in a new PR after this PR is merged (to avoid |
There was a problem hiding this comment.
Unprivileged userns clone is not a thing unto itself, so quoting it makes it
more confusing IMO. I think having a reference to the relevant man page should
provide enough context.
Also, an additional suggestion for etc/firejail.config:
# This logging feature is disabled by default in our implementation.
# seccomp-log no
-# Enable or disable user namespace support, default enabled.
+# Enable or disable user namespace support, default enabled. See
+# user_namespaces(7).
# userns yes
# Disable whitelist top level directories, in addition to thoseLastly, the commit message could be clearer. Example:
profiles minor edits
->
docs: clarify meaning of userns & fix comment on electron.profile
We could be more clear that this maps to
|
|
@rusty-snake commented on Aug 11:
If by " Though I would add a comment to each command in the man pages instead of in |
|
You are overcomplicating it. You need to speak in stupid. You don't need all these details, you speak to a user, not a CPU. All that is needed is simply to make it clear it's not a typo. What about "unprivileged user namespaces (userns) clone", without the quotes? |
Writing user namespace out is good and IMHO we don't need the "(userns)". |
|
@pirate486743186 commented on Aug 12:
This is as verbose as I can make it in 3 lines: -# Add the next line to your chromium-common.local if your kernel allows "unprivileged userns clone".
+# If your kernel allows the creation of user namespaces by unprivileged users
+# (that is, if `sysctl kernel.unprivileged_userns_clone` is >= 1), you can add
+# the next line to your chromium-common.local.By the way, I could not find the above sysctl variable being documented: $ man -w 7 user_namespaces | xargs pacman -Qo
/usr/share/man/man7/user_namespaces.7.gz is owned by man-pages 5.13-1
$ man 7 user_namespaces | grep -F unprivileged_userns
$
$ pacman -Q linux-docs
linux-docs 5.18.16.artix1-1
$ pacman -Qlq linux-docs | grep -v '/$' | xargs \
grep -F unprivileged_userns 2>/dev/null
$So I think that it would be good to have it written down somewhere in firejail, |
|
|
|
@rusty-snake commented on Aug 13:
I see, thanks. Do you know of a more portable way to check if it's allowed? |
Perhaps testing |
|
@glitsj16 then are all userns disallowed, not only unprivileged. And if it it >0, they can still be disabled for unprivileged processes. Maybe running |
|
@rusty-snake commented on Aug 13:
Nice, that seems to work: $ sudo sysctl kernel.unprivileged_userns_clone=1
kernel.unprivileged_userns_clone = 1
$ unshare -U true; echo $?
0
$ unshare -U whoami
nobody
$ sudo sysctl kernel.unprivileged_userns_clone=0
kernel.unprivileged_userns_clone = 0
$ unshare -U true; echo $?
unshare: unshare failed: Operation not permitted
1
$ unshare -U whoami
unshare: unshare failed: Operation not permittedHow about this then? -# Add the next line to your chromium-common.local if your kernel allows "unprivileged userns clone".
+# If your kernel allows the creation of user namespaces by unprivileged users
+# (for example, if running `unshare -U whoami` prints "nobody"), you can add
+# the next line to your chromium-common.local. |
|
Is there a way |
|
@rusty-snake commented on Aug 28:
I wondered about that too, but not sure.
Agreed; updated diff: -# Add the next line to your chromium-common.local if your kernel allows "unprivileged userns clone".
+# If your kernel allows the creation of user namespaces by unprivileged users
+# (for example, if running `unshare -U echo enabled` prints "enabled"), you
+# can add the next line to your chromium-common.local. |
clarified description and fixed a comment.
I think it should be renamed to electron-common.profile ...