Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 22 Jan 2016 23:49:45 +0100
From: Richard Weinberger <richard@....at>
To: Kees Cook <keescook@...omium.org>,
 Andrew Morton <akpm@...ux-foundation.org>
Cc: Al Viro <viro@...iv.linux.org.uk>,
 "Eric W. Biederman" <ebiederm@...ssion.com>,
 Andy Lutomirski <luto@...capital.net>, Robert Święcki
 <robert@...ecki.net>, Dmitry Vyukov <dvyukov@...gle.com>,
 David Howells <dhowells@...hat.com>, Miklos Szeredi <mszeredi@...e.cz>,
 Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>,
 Eric Dumazet <edumazet@...gle.com>, Sasha Levin <sasha.levin@...cle.com>,
 linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
 kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled

Am 22.01.2016 um 23:39 schrieb Kees Cook:
> There continues to be unexpected side-effects and security exposures
> via CLONE_NEWUSER. For many end-users running distro kernels with
> CONFIG_USER_NS enabled, there is no way to disable this feature when
> desired. As such, this creates a sysctl to restrict CLONE_NEWUSER so
> admins not running containers or Chrome can avoid the risks of this
> feature.

Last time such a patch came up I was not thrilled because hiding
a scary feature behind a knob IMHO doesn't make it any better nor helps
finding issues.
But as userns is still a source of a lot of issues and distros enable
it by default a knob for the admin seems to be a good idea by now. ;-\

Thanks,
//richard

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.