Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Jan 2016 23:49:45 +0100
From: Richard Weinberger <>
To: Kees Cook <>,
 Andrew Morton <>
Cc: Al Viro <>,
 "Eric W. Biederman" <>,
 Andy Lutomirski <>, Robert Święcki
 <>, Dmitry Vyukov <>,
 David Howells <>, Miklos Szeredi <>,
 Kostya Serebryany <>, Alexander Potapenko <>,
 Eric Dumazet <>, Sasha Levin <>,,,
Subject: Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled

Am 22.01.2016 um 23:39 schrieb Kees Cook:
> There continues to be unexpected side-effects and security exposures
> via CLONE_NEWUSER. For many end-users running distro kernels with
> CONFIG_USER_NS enabled, there is no way to disable this feature when
> desired. As such, this creates a sysctl to restrict CLONE_NEWUSER so
> admins not running containers or Chrome can avoid the risks of this
> feature.

Last time such a patch came up I was not thrilled because hiding
a scary feature behind a knob IMHO doesn't make it any better nor helps
finding issues.
But as userns is still a source of a lot of issues and distros enable
it by default a knob for the admin seems to be a good idea by now. ;-\


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.