[Kernel] Manjaro ARM kernel userspaces / unprivileged containers

ARM Technical Assistance
1

Hello,

I’m trying to compile tor-browser on Manjaro ARM, and it needs kernel userspaces to be enabled.

According to ArchLinux documentation « The Arch linux, linux-lts and linux-zen kernel packages currently provide out-of-the-box support for unprivileged containers. Similarly, with the linux-hardened package, unprivileged containers are only available for the system administrator; with additional kernel configuration changes required, as user namespaces are disabled by default for normal users there. »

However, trying to check for kernel userspaces on :

  • A Pinebook Pro, kernel 6.0.0-2-MANJARO-ARM
  • A Raspberry Pi 4, kernel 5.15.72-1-MANJARO-ARM-RPI

I get on both :
❯ sysctl kernel.unprivileged_userns_clone
sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory

Furthermore, on the Pinebook Pro :
❯ zgrep CONFIG_USER_NS /proc/config.gz
CONFIG_USER_NS=y

But on the Pi the kernel config sems to be absent :
❯ zgrep CONFIG_USER_NS /proc/config.gz
gzip: /proc/config.gz: No such file or directory

However, it seems that on the Pinebook pro the kernel is compiled with user namespaces support, but I cannot enabled it using sysctl as it seems the control files in /proc are missing.

Any clue ?

2

run sudo modprobe configs first. CONFIG_USER_NS is enabled in the rpi kernel.

https://gitlab.manjaro.org/manjaro-arm/packages/core/linux-rpi4/-/blob/master/config#L186

Seems like there has been a discussion here with the newer firefox with tor and a USER_NS issue. It stopped working after a certain version.

3

Hi,

Even if I do “modprobe configs”, I still get

❯ sysctl kernel.unprivileged_userns_clone
sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory

On Manjaro ARM,

Whereas it is present OK on Manjaro x86…

4

It would seem that something is missing to get that file to be created.
Any idea what it could be? We are willing to enable it, if we know what is needed, as long as it does not break anything else. :slight_smile:

I found this post, which says user namespaces are always enabled in mainline kernel:
https://serverfault.com/questions/939455/unprivileged-userns-clone-no-such

The file seems to be one that Debian patches into their kernel.

5

I’m not sure if this is a good test to verify if user namespaces work.

Did you try to use user namespaces? For example with the little userns_child_exec form the manpage or with podman rootless? It worked on my Pi.

https://man7.org/linux/man-pages/man7/user_namespaces.7.html#EXAMPLE

6

Well, yes I’m sure something is missing in the kernel, as on x86 Manjaro I get the /proc/sys/kernel/unprivileged_userns_clone entry, and on ARM I don’t…

Both on kernels 6.0.2 and after having “modprobe configs” of course.

/proc/sys/kernel files reflect kernel available features, so that makes little doubt to me.

About testing, when I try to build tor-browser on ARM it fails starting the userspace container with messages clearly stating unavaible features, while on x86 this part works (well it fails elsewhere, but that’s another issue).

Both machines being the same OS and having the same packages installed.

I found this old archived post that seems to indicate that Manjaro used a specific patch to disable it in some kernel version, but that was fixed after 4.16. : [SOLVED] User namespaces not detected - Third-Party Applications - Manjaro Linux Forum

Maybe this is still around in the ARM version ? I really dunno.

7

The config module just provides the config that was used to build the kernel.

No, it doesn’t show all available features. It also depends on the platform.

And you checked the code to verify that the test works on anything other than x64? (btw, Arch and Manjaro does not support x86 anymore, its x64 only.)

To summaries, on a PI with Arch ARM and Manjaro ARM user namespaces work.

1 Like
8

You’re right, it seems to work, but it’s been quite a mess to get it working :wink: