Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Feb 2017 11:32:29 -0800
From: Jessica Frazelle <me@...sfraz.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Thomas Garnier <thgarnie@...gle.com>, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: Container Hardening

Thank you for your help.

On Fri, Feb 3, 2017 at 11:25 AM Eric W. Biederman <ebiederm@...ssion.com> wrote:
>
> Jessica Frazelle <me@...sfraz.com> writes:
>
> > Yeah I can definitely come up with a list. The interesting thing is
> > some vulnerabilities don't even need for the process to be _in_ a user
> > namespace, just that CONFIG_USERNS=y. So as far as I currently know, a
> > lot has to do with hitting these obscure-ish code paths. But will work
> > on a list :)
>
> I believe you are a little misinformed about the current situation,
> but one thing I can agree with is more people and more eyeballs on the
> code can not hurt.
>
> My best estimate of where things are at is at this point most of the
> design issues have been fixed, and that user namespaces and namespaces
> in general are about as buggy as the rest of the kernel.
>
> As any process can create a user namespace a system does not have to be
> using user namespaces to be vulnerable to their issues.  At the same
> time there are a set of sysctls under /proc/sys/user/ that can be used
> to reduce the attack surface if you are not using the features.
>

This sounds neat, I will read up on it!

>
> I will be happy to help resolve and merge any bugs you happen to find.
>
> Although if they are ordinary kernel bugs in the network stack it is
> probably easiest just to go through David Miller, and the netdev mailing
> list.  I won't mind being Cc'd in that case.
>
> Eric

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.