From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <keescook@chromium.org>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Austin S. Hemmelgarn" <ahferroin7@gmail.com>,
"Richard Weinberger" <richard@nod.at>,
"Robert Święcki" <robert@swiecki.net>,
"Dmitry Vyukov" <dvyukov@google.com>,
"David Howells" <dhowells@redhat.com>,
"Kostya Serebryany" <kcc@google.com>,
"Alexander Potapenko" <glider@google.com>,
"Eric Dumazet" <edumazet@google.com>,
"Sasha Levin" <sasha.levin@oracle.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled
Date: Thu, 28 Jan 2016 11:48:33 -0600 [thread overview]
Message-ID: <87io2degsu.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20160128143825.GA17383@www.outflux.net> (Kees Cook's message of "Thu, 28 Jan 2016 06:38:25 -0800")
Kees Cook <keescook@chromium.org> writes:
> + if (sysctl_userns_restrict && !(capable(CAP_SYS_ADMIN) &&
> + capable(CAP_SETUID) &&
> + capable(CAP_SETGID)))
> + return -EPERM;
> +
I will also note that the way I have seen containers used this check
adds no security and is not mentioned or justified in any way in your
patch description.
Furthermore this looks like blame shifting. And quite frankly shifting
the responsibility to users if they get hacked is not an acceptable
attitude.
Eric
next prev parent reply other threads:[~2016-01-28 17:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-28 14:38 [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled Kees Cook
2016-01-28 15:28 ` [kernel-hardening] " Serge E. Hallyn
2016-01-28 17:41 ` Eric W. Biederman
2016-01-28 20:08 ` Kees Cook
2016-01-28 17:48 ` Eric W. Biederman [this message]
2016-01-28 19:11 ` Robert Święcki
2016-01-28 20:17 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87io2degsu.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=ahferroin7@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=richard@nod.at \
--cc=robert@swiecki.net \
--cc=sasha.levin@oracle.com \
--cc=serge.hallyn@ubuntu.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox