Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZiKo7shztRpgvAIC@remnant.pseudorandom.co.uk>
Date: Fri, 19 Apr 2024 18:25:02 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Linux: Disabling network namespaces

On Fri, 19 Apr 2024 at 17:44:35 +0200, Solar Designer wrote:
> I guess
> systemd's PrivateNetwork services generally don't configure networking
> (they just give up network access), so would continue to work even with
> capabilities disallowed?

I can't speak for systemd's PrivateNetwork services, but for the
bubblewrap use-cases that I described elsewhere in the thread (Flatpak,
libgnome-desktop etc.), `bwrap --unshare-net` does bring up the "lo"
interface with address 127.0.0.1 and a route to 127.0.0.0/8 before it
relinquishes its capabilities and execs the sandboxed program.

Presumably this is because it's common for ordinary user-space applications
to assume that they can "talk to themselves" via loopback, even if there is
no external connectivity.

    smcv

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.