Hi guys!
I am currently trying Arch in a VM and I like it a lot. Wanted to try the hardened kernel all the time, but it has the problem of forbidding custom namespaces.
Tbh I dont even know what that is, but on arch, installing bubblewrap-suid
fixes the flatpak problem.
I could not find such a package for Podman, which is used as backend (?) in Distrobox.
Is there a way to make Podman, Docker, Distrobox, Toolbox work on linux-hardened?
This is a big requirement for making a Fedora Atomic version using the hardened kernel, which sounds great, as they completely rely on these containers.
Tools like Podman, Docker, Distrobox and Toolbox use custom uid namespaces. I don’t see how they could work with them disabled.
With a specific exception only for one software. I would be happy with Flatpak and Podman. Maybe Waydroid and wine too though?
Wine should just work.
Waydroid needs extra support from the kernel that linux-hardend has disabled at compile time. There’s a DKMS solution however.This one? it doesnt mention the hardened kernel at all, is this some obsolete modification not needed in modern Kernels?
binder_linux-dkms
It’s an Android thing.Crazy that it just works on Fedora
That just means they have the feature enabled at compile time. Linux-Zen is the only kernel that has it on Arch.
Basically, you want to not disable
kernel.unprivileged_userns_clone
.For a temporary solution that has to be redone after reboot, there is
sysctl kernel.unprivileged_userns_clone=1
.For a lasting solution, consider
echo kernel.unprivileged_userns_clone=1 | sudo tee /etc/sysctl.d/99-enable-unpriv-userns.conf
.In either case you’re foregoing security for the sake of convenience/functionality, so I understand why you would rather not act upon either of them.
I don’t know what the solution is that would be analogous to installing
bubblewrap-suid
. Perhaps, it’s worth exploring the projects found within the github page of Awesome Fedora Security for some pointers.