Ability to disable NoNewPrivileges & co. overrides

Question

Ability to disable NoNewPrivileges & co. overrides

WRMSRwasTaken opened this issue 9 months ago · 0 comments

I've noticed due to #561 and previous commits in this discussion, my systems set NoNewPrivileges=no.

However, running Arch Linux with the hardened kernel 6.8.9-hardened1-1-hardened(linux-hardened) with Incus 6.3, modifying the generator still works for me with unprivileged containers:

# /run/systemd/system/service.d/zzz-lxc-service.conf
[Service]
ProtectControlGroups=yes
ProtectKernelTunables=yes
NoNewPrivileges=yes

The only problem option I can't set to true due to the hardened kernel is PrivateUsers which will result in the following error:

Failed to set up user namespacing: Operation not permitted
Failed at step USER spawning /foo: Operation not permitted

So the question is: Is there a way to disable the drop in for those security options and allow users to opt-in (possibly requiring trial-and-error) without having to delete the /etc/systemd/system-generators/lxc file on every new container?