On Fri, Jan 22, 2016 at 4:59 PM, Ben Hutchings <ben@xxxxxxxxxxxxxxx> wrote: > On Fri, 2016-01-22 at 15:00 -0800, Kees Cook wrote: >> On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki <robert@xxxxxxxxxxx> wrote: >> > 2016-01-22 23:50 GMT+01:00 Kees Cook <keescook@xxxxxxxxxxxx>: >> > >> > > > Seems that Debian and some older Ubuntu versions are already using >> > > > >> > > > $ sysctl -a | grep usern >> > > > kernel.unprivileged_userns_clone = 0 >> > > > >> > > > Shall we be consistent wit it? >> > > >> > > Oh! I didn't see that on systems I checked. On which version did you find that? >> > >> > $ uname -a >> > Linux bc1 4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-5~bpo8+1 >> > (2016-01-07) x86_64 GNU/Linux >> > $ cat /etc/debian_version >> > 8.2 >> >> Ah-ha, Debian only, though it looks like this was just committed to >> the Ubuntu kernel tree too: >> >> >> > IIRC some older kernels delivered with Ubuntu Precise were also using >> > it (but maybe I'm mistaken) >> >> I don't see it there. >> >> I think my patch is more complete, but I'm happy to change the name if >> this sysctl has already started to enter the global consciousness. ;) >> >> Serge, Ben, what do you think? > > I agree that using the '_restrict' suffix for new restrictions makes > sense. I also don't think that a third possible value for > kernel.unprivileged_userns_clone would would be understandable. > > I would probably make kernel.unprivileged_userns_clone a wrapper for > kernel.userns_restrict in Debian, then deprecate and eventually remove > it. Okay, cool. We'll keep my patch as-is then. Thanks! -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
