> On Apr 17, 2019, at 5:19 AM, Florian Weimer <fwei...@redhat.com> wrote:
>
> * Andy Lutomirski:
>
>> I would personally *love* it if distros started setting no_new_privs
>> for basically all processes.
>
> Wouldn't no_new_privs inhibit all security transitions, including those
> that reduce privileges? And therefore effectively reduce security?
In principle, you still can reduce privileges with no_new_privs. SELinux has a
whole mechanism for privilege-reducing transitions on exec that works in
no_new_privs mode. Also, all the traditional privilege dropping techniques work
— setresuid(), unshare(), etc are all unaffected.
>
>> There seems to be some demand to be able to do large
> parts of container setup using posix_spawn, so we'll probably add
> support for things like writing to arbitrary files eventually. And of
> course, proper error reporting, so that you can figure out which file
> creation action failed.
>
ISTM the way to handle this is to have a way to make a container, set it up,
and then clone/spawn into it. The current unshare() API is severely awkward.
Maybe the new better kernel spawn API shouldn’t support unshare-like semantics
at all and should instead work like setns().