Include CONFIG_USER_NS in kernel builds

Hi Bodhi,

please include CONFIG_USER_NS in your kernel builds, it is needed for newer versions of Debian's systemd.

Thanks
Alan

To be more specific: CONFIG_USER_NS is needed for service files setting PrivateUsers=true, which is the case for redis-server or uidd, for instance.

kralan,

> To be more specific: CONFIG_USER_NS is needed for
> service files setting PrivateUsers=true, which is
> the case for redis-server or uidd, for instance.

Sorry, I'm a bit hesitate to do that. See this discussion about CONFIG_USER_NS security issue.

https://github.com/netblue30/firejail/issues/1347

I would like to see how the issue is resolved by Arch Linux and Debian mainline before including this kernel config.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

Hi Bodhi,

Debian have turned on CONFIG_USER_NS in their kernels and depend on it in some of their userspace.
See the Debian discussion here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446

Thank you for pointing out the risks, I was not aware of all of them.
I can compile a modified kernel for myself if I can not find a way of working around the redis-server requirement.

Alan

Alan,

> Debian have turned on CONFIG_USER_NS in their
> kernels and depend on it in some of their
> userspace.
> See the Debian discussion here:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446

I'll take a look.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

Hi Alan,

I wil add CONFIG_USER_NS in the next kernel release.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

Thank you, Bodhi!
This will make my life easier and avoid problems with standard Debian packages.

Hi Alan,

We're talking about the Kirkwood kernel, right?

Looks like this CONFIG_USER_NS pushes the MVEBU kernel over my self-imposed kernel size of 5MB :D

UPDATE:
NVM, newer kernel is already too big, I will trim it a bit so we will have CONFIG_USER_NS.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)



Edited 1 time(s). Last edit at 12/26/2022 05:01PM by bodhi.

Hi bodhi,

I use your kernels on several Zyxel NAS326 (MVEBU) and one Medion P89626 (oxnas). The MVEBU kernel is the one I need CONFIG_USER_NS for.
As said before, with your configs and patches, I can build a kernel for myself. Of course, it would be more convenient to have the config included in your kernels.

Thank you for your effort
Alan

Hi Alan,

> Of course, it would
> be more convenient to have the config included in
> your kernels.

Yes indeed. I'm testing kernel 6.1.x-mvebu, atm. I moved a couple less commonly used file systems to loadable module, and add CONFIG_USER_NS and CONFIG_MEMCG to the kernel. It all seems working fine, and the kernel size does not change much. So it will be probably a few stable versions before I release it in January.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)