[Ksummit-discuss] [CORE TOPIC] Kernel tinification: shrinking the kernel and avoiding size regressions

Josh Triplett josh at joshtriplett.org
Sat May 10 03:44:47 UTC 2014


On Fri, May 09, 2014 at 05:38:49PM -0700, Andy Lutomirski wrote:
> We're almost at the point where it would be reasonable to shove
> basically every service on a system into a user namespace, in which
> case, barring bugs, you shouldn't be able to own the kernel.  I wonder
> if this might do pretty much exactly what you want.

We should absolutely do this, and it'll make a big difference.  However,
"barring bugs" is a pretty big bar; in practice, it's probably easier to
get from user->kernel than to get from user->root, just because you can
do the former from any process that can make system calls.  We're not
anywhere close to done with fixing system call vulnerabilities.

> Essentially, you'd mount your filesystems, make a new userns, move all
> network devices into a new netns owned by that userns, unshare the
> mount namespace, and somehow get systemd or whatever other init
> program you're using to play along.

systemd makes it rather easy to configure a service for this kind of
namespace isolation.  You can, for instance, put services that don't
need the network in a network namespace that only includes localhost.  I
suspect that far more services will take advantage of that than will
attempt to configure an equivalent isolation setup manually.

- Josh Triplett


More information about the Ksummit-discuss mailing list