Date: Fri, 3 Feb 2017 08:54:55 -0800 From: Thomas Garnier <thgarnie@...gle.com> To: Jessica Frazelle <me@...sfraz.com> Cc: Kernel Hardening <kernel-hardening@...ts.openwall.com> Subject: Re: Container Hardening That seems like a good idea! It would be useful to gather a list of bugs that affected namespaces or usual mistakes in using namespaces. I will see if I can free some time to help. On Fri, Feb 3, 2017 at 8:13 AM, Jessica Frazelle <me@...sfraz.com> wrote: > Hi, > > I made this one page site to detail trying to harden namespaces in > the kernel. The other primitives containers use are included as well, > but if we are honest we all know namespaces need the most help. > > Solar mentioned just using this mailing list for this initiative as > well. That's great with me because I would love all your feedback and > help. > > I think the first focus should be on preventing priviledge escalations > in user namespaces. This has the largest attack surface. The > fundamental problem seems to be that not many people have inspected > user namespaces and the various interactions with other parts of the > kernel. I will be trying to do this and would love any help from > anyone interested. We could split up the various systems and do some > research to find out just how far this rabbit hole goes. > > In the past, one of the ways to fix vulnerabilities with user > namespaces was to disallow the interaction, for instance CLONE_FS. > > I'm sure we can't have that as a solution for everything, but I'm > hoping by working together we can come up with a well-informed > solution. > > Jess > >  https://containerhardening.org -- Thomas
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.