Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Feb 2017 11:32:29 -0800
From: Jessica Frazelle <>
To: "Eric W. Biederman" <>
Cc: Thomas Garnier <>, 
	Kernel Hardening <>
Subject: Re: Container Hardening

Thank you for your help.

On Fri, Feb 3, 2017 at 11:25 AM Eric W. Biederman <> wrote:
> Jessica Frazelle <> writes:
> > Yeah I can definitely come up with a list. The interesting thing is
> > some vulnerabilities don't even need for the process to be _in_ a user
> > namespace, just that CONFIG_USERNS=y. So as far as I currently know, a
> > lot has to do with hitting these obscure-ish code paths. But will work
> > on a list :)
> I believe you are a little misinformed about the current situation,
> but one thing I can agree with is more people and more eyeballs on the
> code can not hurt.
> My best estimate of where things are at is at this point most of the
> design issues have been fixed, and that user namespaces and namespaces
> in general are about as buggy as the rest of the kernel.
> As any process can create a user namespace a system does not have to be
> using user namespaces to be vulnerable to their issues.  At the same
> time there are a set of sysctls under /proc/sys/user/ that can be used
> to reduce the attack surface if you are not using the features.

This sounds neat, I will read up on it!

> I will be happy to help resolve and merge any bugs you happen to find.
> Although if they are ordinary kernel bugs in the network stack it is
> probably easiest just to go through David Miller, and the netdev mailing
> list.  I won't mind being Cc'd in that case.
> Eric

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.