From mboxrd@z Thu Jan 1 00:00:00 1970 From: serge@hallyn.com (Serge E. Hallyn) Date: Wed, 29 Nov 2017 11:28:52 -0600 Subject: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() In-Reply-To: <20171129155406.i2lyclquj75lvtn4@thunk.org> References: <20171128211659.GP729@wotan.suse.de> <20171129134612.72ccb53d@alans-desktop> <20171129.095014.1909386937628805919.davem@davemloft.net> <20171129155406.i2lyclquj75lvtn4@thunk.org> Message-ID: <20171129172852.GA14545@mail.hallyn.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org Quoting Theodore Ts'o (tytso at mit.edu): > Half the problem here is that with containers, people are changing the > security model, because they want to let untrusted users have "root", > without really having "root". Part of the fundamental problem is that > there are some well-meaning, but fundamentally misguided people, who > have been asserting: "Containers are just as secure as VM's". > > Well, they are not. And the sooner people get past this, the better > off they'll be.... Just to be clear, module loading requires - and must always continue to require - CAP_SYS_MODULE against the initial user namespace. Containers in user namespaces do not have that. I don't believe anyone has ever claimed that containers which are not in a user namespace are in any way secure. (And as for the other claim, I'd prefer to stick to "VMs are in most cases as insecure as properly configured containers" :) -serge -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html