Date: Fri, 4 Feb 2022 13:26:16 +0300 From: "Anton V. Boyarshinov" <boyarsh@...linux.org> To: Christian Brauner <brauner@...nel.org> Cc: viro@...iv.linux.org.uk, linux-fsdevel@...r.kernel.org, ebiederm@...ssion.com, legion@...nel.org, ldv@...linux.org, linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com, Christoph Hellwig <hch@....de>, Linus Torvalds <torvalds@...ux-foundation.org> Subject: Re: [PATCH] Add ability to disallow idmapped mounts В Fri, 4 Feb 2022 10:45:15 +0100 Christian Brauner <brauner@...nel.org> пишет: > If you want to turn off idmapped mounts you can already do so today via: > echo 0 > /proc/sys/user/max_user_namespaces It turns off much more than idmapped mounts only. More fine grained control seems better for me. > They can neither > be created as an unprivileged user nor can they be created inside user > namespaces. But actions of fully privileged user can open non-obvious ways to privilege escalation.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.