Kees Cook <keescook@xxxxxxxxxxxx> writes: > Hi, > > It seem like we should block (at least) this combination. On 3.9, this > exploit works once uidmapping is added. > > http://www.openwall.com/lists/oss-security/2013/03/13/10 Yes. That is a bad combination. It let's chroot confuse privileged processes. Now to figure out if this is easier to squash by adding a user_namespace to fs_struct or by just forbidding this combination. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
