exile_init_policy(): Don't unshare network namespaces by default
This no longer works on some distros (e. g. Ubuntu 24.04) which move (back) to restrict unprivileged user namespaces, and is not required when Landlock is available, which is more and more a given, thankfully.
此提交包含在:
4
exile.c
4
exile.c
@@ -621,10 +621,10 @@ struct exile_policy *exile_init_policy()
|
|||||||
{
|
{
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
result->drop_caps = 1;
|
result->drop_caps = 0;
|
||||||
result->not_dumpable = 1;
|
result->not_dumpable = 1;
|
||||||
result->no_new_privs = 1;
|
result->no_new_privs = 1;
|
||||||
result->namespace_options = EXILE_UNSHARE_MOUNT | EXILE_UNSHARE_USER;
|
result->namespace_options = EXILE_UNSHARE_AUTOMATIC;
|
||||||
result->namespace_uid = 0;
|
result->namespace_uid = 0;
|
||||||
result->namespace_gid = 0;
|
result->namespace_gid = 0;
|
||||||
return result;
|
return result;
|
||||||
|
|||||||
新增問題並參考
封鎖使用者