Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jan 2016 11:41:17 -0600
From: (Eric W. Biederman)
To: Kees Cook <>
Cc: Andrew Morton <>,  Al Viro
 <>,  "Serge E. Hallyn" <>,
  Andy Lutomirski <>,  "Austin S. Hemmelgarn"
 <>,  Richard Weinberger <>,  Robert
 Święcki <>,  Dmitry Vyukov
 <>,  David Howells <>,  Kostya
 Serebryany <>,  Alexander Potapenko <>,
  Eric Dumazet <>,  Sasha Levin
Subject: Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled

Kees Cook <> writes:

> There continue to be unexpected security exposures when users have access

So how does this sucessfully address that issue?

> For admins of systems that do not use user namespaces
> and are running distro kernels with CONFIG_USER_NS enabled, there is
> no way to disable CLONE_NEWUSER. This provides a way for sysadmins to
> disable the feature to reduce their attack surface without needing to
> rebuild their kernels.
> This is inspired by a similar restriction in Grsecurity, but adds
> a sysctl.

I have already nacked this patch.   Thank you for removing the broken
capability in sysctl check.  But this does not address any of the other
issues I have raised.

Nacked-by: "Eric W. Biederman" <>

Further as far as I can tell this is just about a witch hunt.  Isn't
that what you call a campaign against something when the complaining
party does not understand something persecutes it and does not bother to
try and understand?

I have already told you what kind of direction would be acceptable.  I
gave concrete suggests and here you are wasting our time with this patch


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.