Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jan 2016 11:48:33 -0600
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Kees Cook <keescook@...omium.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,  Al Viro
 <viro@...iv.linux.org.uk>,  "Serge E. Hallyn" <serge.hallyn@...ntu.com>,
  Andy Lutomirski <luto@...nel.org>,  "Austin S. Hemmelgarn"
 <ahferroin7@...il.com>,  Richard Weinberger <richard@....at>,  Robert
 Święcki <robert@...ecki.net>,  Dmitry Vyukov
 <dvyukov@...gle.com>,  David Howells <dhowells@...hat.com>,  Kostya
 Serebryany <kcc@...gle.com>,  Alexander Potapenko <glider@...gle.com>,
  Eric Dumazet <edumazet@...gle.com>,  Sasha Levin
 <sasha.levin@...cle.com>,  linux-doc@...r.kernel.org,
  linux-kernel@...r.kernel.org,  kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled

Kees Cook <keescook@...omium.org> writes:

> +	if (sysctl_userns_restrict && !(capable(CAP_SYS_ADMIN) &&
> +					capable(CAP_SETUID) &&
> +					capable(CAP_SETGID)))
> +		return -EPERM;
> +

I will also note that the way I have seen containers used this check
adds no security and is not mentioned or justified in any way in your
patch description.

Furthermore this looks like blame shifting.  And quite frankly shifting
the responsibility to users if they get hacked is not an acceptable
attitude.

Eric

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.