System and Network configuration • Question on Debian specific Kernel parameters overriding default parameters

While going through the Linux Kernel Vulnerability CVE-2024-1086, I came to this Open Wall Discussion thread discussing this particular vulnerability. Now the vulnerability CVE-2024-1086 is due to how the user namespace is implemented. In the thread it is mentioned that

Further, while on Debian/Ubuntu it is possible to disable just unprivileged user namespaces with the Debian-specific sysctl
kernel.unprivileged_userns_clone=0,
on other distros we'd have to use
user.max_user_namespaces=0,
which (unnecessarily) prevents starting of containers even by root.

In the discussion thread it is mentioned that Fredrik Nystrom has given a good description of this.

Now along with user.max_user_namespaces there is also a kernel parameter user.max_net_namespaces. And since the vulnerability CVE-2024-1086 is related to the NetFilter module of the kernel it might make sense to disable username spaces only in the kernel NetFilter module, i.e. use user.max_net_namespaces only. This brings me to my question.

If we set the Debian specific kernel parameters, i.e. kernel.unprivileged_userns_clone to zero but not the linux kernel general parameters user.max_user_namespaces and user.max_net_namespaces then what will take the precedence? So if the value of the kernel parameters is like the one that is given belowthen what takes precedence? kernel.unprivileged_userns_clone or user.max_user_namespaces / user.max_net_namespaces

And what happens when it is reverse? Like the one given below. i.e. if we enable the Debian specific kernel parameter but disable the generic linux kernel parameters. Does the debian specific kernel parameter kernel.unprivileged_userns_clone overrules the value of the generic kernel parameter user.max_user_namespaces / user.max_net_namespaces ?

Statistics: Posted by DebianFox — 2024-07-01 11:56

---