Date: Sun, 24 Jan 2016 12:59:13 -0800 From: Kees Cook <keescook@...omium.org> To: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com> Cc: Robert Święcki <robert@...ecki.net>, "Serge E. Hallyn" <serge.hallyn@...ntu.com>, Andrew Morton <akpm@...ux-foundation.org>, Al Viro <viro@...iv.linux.org.uk>, Richard Weinberger <richard@....at>, "Eric W. Biederman" <ebiederm@...ssion.com>, Andy Lutomirski <luto@...capital.net>, Dmitry Vyukov <dvyukov@...gle.com>, David Howells <dhowells@...hat.com>, Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>, Eric Dumazet <edumazet@...gle.com>, Sasha Levin <sasha.levin@...cle.com>, "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org> Subject: Re: Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled On Fri, Jan 22, 2016 at 4:59 PM, Ben Hutchings <ben@...adent.org.uk> wrote: > On Fri, 2016-01-22 at 15:00 -0800, Kees Cook wrote: >> On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki <robert@...ecki.net> wrote: >> > 2016-01-22 23:50 GMT+01:00 Kees Cook <keescook@...omium.org>: >> > >> > > > Seems that Debian and some older Ubuntu versions are already using >> > > > >> > > > $ sysctl -a | grep usern >> > > > kernel.unprivileged_userns_clone = 0 >> > > > >> > > > Shall we be consistent wit it? >> > > >> > > Oh! I didn't see that on systems I checked. On which version did you find that? >> > >> > $ uname -a >> > Linux bc1 4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-5~bpo8+1 >> > (2016-01-07) x86_64 GNU/Linux >> > $ cat /etc/debian_version >> > 8.2 >> >> Ah-ha, Debian only, though it looks like this was just committed to >> the Ubuntu kernel tree too: >> >> >> > IIRC some older kernels delivered with Ubuntu Precise were also using >> > it (but maybe I'm mistaken) >> >> I don't see it there. >> >> I think my patch is more complete, but I'm happy to change the name if >> this sysctl has already started to enter the global consciousness. ;) >> >> Serge, Ben, what do you think? > > I agree that using the '_restrict' suffix for new restrictions makes > sense. I also don't think that a third possible value for > kernel.unprivileged_userns_clone would would be understandable. > > I would probably make kernel.unprivileged_userns_clone a wrapper for > kernel.userns_restrict in Debian, then deprecate and eventually remove > it. Okay, cool. We'll keep my patch as-is then. Thanks! -Kees -- Kees Cook Chrome OS & Brillo Security
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.