© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Unfortunately it has to be a privileged operation, otherwise any application could set the attribute and then have access to user namespaces. The problem with unprivileged user namespaces is that it makes privileged interfaces available to the user in ways that they weren't designed for, leading to vulnerabilities. Yes it tries to mitigate and control this in some ways, but the reality is the kernel is always adding new interfaces that are privileged, so its a game of whack-a-mole.
To quote Linus about adding user namespaces "it was a mistake. We're stuck with it". This is just an after the fact mitigation, and as such there is going to be a somewhat painful transition period.
There is another reason to not use a single attribute as well. This is a stepping stone to bringing much tighter/finer confinement to the desktop. Having unique labels on the applications will allow us to start deploying finer controls over who can talk to who. This is really important when one of those entities have elevated privileges, which is the case for applications making use of unprivileged user namespaces.