Hi guys!
I am currently trying Arch in a VM and I like it a lot. Wanted to try the hardened kernel all the time, but it has the problem of forbidding custom namespaces.
Tbh I dont even know what that is, but on arch, installing bubblewrap-suid
fixes the flatpak problem.
I could not find such a package for Podman, which is used as backend (?) in Distrobox.
Is there a way to make Podman, Docker, Distrobox, Toolbox work on linux-hardened?
This is a big requirement for making a Fedora Atomic version using the hardened kernel, which sounds great, as they completely rely on these containers.
Basically, you want to not disable
kernel.unprivileged_userns_clone
.For a temporary solution that has to be redone after reboot, there is
sysctl kernel.unprivileged_userns_clone=1
.For a lasting solution, consider
echo kernel.unprivileged_userns_clone=1 | sudo tee /etc/sysctl.d/99-enable-unpriv-userns.conf
.In either case you're foregoing security for the sake of convenience/functionality, so I understand why you would rather not act upon either of them.
I don't know what the solution is that would be analogous to installing
bubblewrap-suid
. Perhaps, it's worth exploring the projects found within the github page of Awesome Fedora Security for some pointers.