Quoting Kees Cook (keescook@xxxxxxxxxxxx): > On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > > Hi all- > > > > There are several users and distros that are nervous about user > > namespaces from an attack surface point of view. > > > > - RHEL and Arch have userns disabled. > > > > - Ubuntu requires CAP_SYS_ADMIN > > > > - Kees periodically proposes to upstream some sysctl to control > > userns creation. > > And here's another ring0 escalation flaw, made available to > unprivileged users because of userns: > > https://code.google.com/p/google-security-research/issues/detail?id=758 Kees, I think you think this makes your point, but all it does is make me want to argue with you and start flinging back cves against kvm, af_unix, sctp, etc. > > I think there are three main types of concerns. First, there might be > > some as-yet-unknown semantic issues that would allow privilege > > escalation by users who create user namespaces and then confuse > > something else in the system. Second, enabling user namespaces > > exposes a lot of attack surface to unprivileged users. Third, > > allowing tasks to create user namespaces exposes the kernel to various > > resource exhaustion attacks that wouldn't be possible otherwise. > > > > Since I doubt we'll ever fully address the attack surface issue at > > least, would it make sense to try to come up with an upstreamable way > > to limit who can create new user namespaces and/or do various > > dangerous things with them? > > The change in attack surface is _substantial_. We must have a way to > globally disable userns. I'm confused. Didn't we agree a few months ago, somewhat reluctantly, on a sysctl? _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
