Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Feb 2017 08:54:55 -0800
From: Thomas Garnier <>
To: Jessica Frazelle <>
Cc: Kernel Hardening <>
Subject: Re: Container Hardening

That seems like a good idea!

It would be useful to gather a list of bugs that affected namespaces
or usual mistakes in using namespaces.

I will see if I can free some time to help.

On Fri, Feb 3, 2017 at 8:13 AM, Jessica Frazelle <> wrote:
> Hi,
> I made this one page site[1] to detail trying to harden namespaces in
> the kernel. The other primitives containers use are included as well,
> but if we are honest we all know namespaces need the most help.
> Solar mentioned just using this mailing list for this initiative as
> well. That's great with me because I would love all your feedback and
> help.
> I think the first focus should be on preventing priviledge escalations
> in user namespaces. This has the largest attack surface. The
> fundamental problem seems to be that not many people have inspected
> user namespaces and the various interactions with other parts of the
> kernel. I will be trying to do this and would love any help from
> anyone interested. We could split up the various systems and do some
> research to find out just how far this rabbit hole goes.
> In the past, one of the ways to fix vulnerabilities with user
> namespaces was to disallow the interaction, for instance CLONE_FS.
> I'm sure we can't have that as a solution for everything, but I'm
> hoping by working together we can come up with a well-informed
> solution.
> Jess
> [1]


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.