Application containers don't have a use for the user namespace quasi
root and no one really needs the half baked uid/gid mapping feature.
There's no real reason for stuff being done that way beyond desktop
Linux having the disease of inability to do plumbing in userspace, but
instead putting everything in the kernel simply to have it universally
available rather than for technical reasons.

It would make sense to simply have a service spawning on-demand unpriv
users from a range of uid/gid pairs. That's exactly how this works on
Android for both apps and isolatedProcess services (they each get a
unique uid/gid pair assigned), although they also layer SELinux and
mount namespaces on top.

The only real use case for user namespaces is unprivileged, contained
usage of OS containers since they actually need the quasi root. For
application containers / sandboxes, it's just laziness and bad design.

But you see, sandboxing apps is by itself is a misleading security feature. Why
do I need to sandbox my browser if it is written properly and allows me to
disable the unnecessary (for me) features?

In the end, every sandbox uses DAC protection, no? And I already proposed a
sandbox which is far better than firejail or the one used in chrome, and
doesn't use userns.
The issue is this: either enable userns fully, i.e. unprivileged users are
able to create user namespaecs, or don't enable them at all. The way Fedora
does things, for example, is worse that the latter (of course, if you used
Fedora you know that it sucks in general).
So, why don't you just build your own kernel? It takes only 20 mins...

Cheers,

I already listed several in the linked issue reports.
That doesn't demonstrate that it's useful relative to the alternatives.
It enables unprivileged OS containers but isn't really any use for app
containers.
That has nothing to do with this.
The proof is easy to find. You're the one making a proposal but you
clearly haven't done your research. It's not my job to spoon feed you.
Uh, yeah, I did. M
Not baseless and it's not arrogant to point out that this is a bad
feature for app containers. It's the truth.
Look at the discussion on the issue report or do basic research on the
topic. It's your proposal, if you haven't done even basic research
that's your problem.
It's a very niche feature with better alternatives for sandboxes and app
containers. It exposes all of the netfilter administration code and tons
of other networking and mount code as new attack surface.
There are no baseless claims / accusations here. I am not going to spoon
feed you information that's already in the issue reports, easily found
on oss-security, etc.
That switch isn't passed, which should be pretty clear considering that
it runs.
That doesn't do what you think it does.
No, that's incorrect and you're just further demonstrating how far out
of your depth you are here. Google doesn't even enable user namespaces
in the kernel in AOSP / stock Android for Nexus/Pixel. Doubt that any
other vendors are enabling it. It doesn't use any namespaces other than
mount namespaces as part of the multi-user emulation for backwards
compatibility. It certainly doesn't use minijail as the 'default app
sandbox'. It uses minijail as a library to factor out common patterns
involved in privilege dropping, like dropping capabilities. The app
sandbox is done with uid/gid pairs (AIDs) and the full system SELinux
policy (untrusted_app domain for regular non-platform apps and
isolated_app for isolatedProcess services). Permissions are generally
done with IPC checks but some are done with secondary groups. Before it
had SELinux, it was just using the POSIX user/group/permission model to
implement the app sandbox and that's still the base. It has no use case
at all for user namespaces, and process namespaces would not really have
much use either due to hidepid=2 since 7.x combined with uid isolation.
It would just be a mess since they turn a process into a subreaper /
secondary init.

Trying to explain to me how Android works from skimming and
misinterpreting news / documentation and making incorrect assumptions is
not going to get you far.
Android, which was given as an example. You are going out of the way to
ignore all of the information that's right in front of you.
Not exaggerated at all. It adds a huge amount of attack surface. It's no
joke to suddenly expect all of netfilter to handle untrusted
administration, and that's just one of a bunch of API surfaces added as
attack surface for unprivileged users.
If you read past the initial information (seems to be a consistent
problem for you), you'll see that they determined that it didn't seem to
really be a privilege escalation bug after all. I was already aware of
that issue, and it's exactly why I asked for a real privilege escalation
bug caused by chrome-sandbox because I am not aware of one.
CVE-2016-8655 is a simple one that comes to mind. Not accessible attack
surface to unprivileged users without user namespaces. There are a bunch
more though!
You haven't done any real research, so you're in no position to draw
conclusions.
The kernel change that's required is already upstream
I haven't seen any such assessment by them about the risk vs. reward and
comparing it to alternative solutions from a security perspective. The
Chromium change has a lot more to do with them only really caring about
ChromeOS (where they can disable userns everywhere but the spawning
process) and Android (where it's not needed due to a better alternative
and user namespaces aren't available).

An argument from authority is worth nothing particularly when those
people are not actually saying what you claim they are, and here is
someone that works full time on infosec that's telling you otherwise.
You're the one making a proposal without having done much research into
it, and you're going out of your way to only skim the available info.

Not spoon feeding you information != lack of sources. You're the one
making a proposal about this. It's on you to get yourself up to speed
about the recent bugs exposed as privilege escalation vulns due to user
namespaces. It's easy to find a dozen of them from the past 6 months
simply from basic Google searches / oss-security, but there are many
more if you actually dig deeper into CVEs and bug fixes backported to
stables for these issues without CVEs.

IIUC Mark Shuttleworth offered manpower to enable a standard mac-based
security framework:
https://lists.ubuntu.com/archives/snapcraft/2017-January/002247.html

----- Reply to message -----
Subject: Re: [arch-general] user namespaces
Date: 2 February 2017 at 18:22:36
From: "Daniel Micay" <***@gmail.com>
To: "General Discussion about Arch Linux"
Barbee via arch-general
I'll respond anyway.
one is stepping up to
failures that need to be
not real failures.
which offers multiple MAC
AppArmor not being enabled
If people were willing to
rather than only
don't see much value in
is particularly relevant
pulseaudio, dbus, etc. In
progress on that front but it
provide a real security
anti-security feature, not
offer essentially zero
mapping is superfluous when
properly supported since
be significantly less
You should be thankful
you really care about
So your advice for now would be to use grsecurity
kernel and forget all those jails and namespaces
until someone figure out proper security solution?