On Sun, Jan 24, 2016 at 2:20 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > On Sun, Jan 24, 2016 at 12:59 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> On Fri, Jan 22, 2016 at 4:59 PM, Ben Hutchings <ben@xxxxxxxxxxxxxxx> wrote: >>> On Fri, 2016-01-22 at 15:00 -0800, Kees Cook wrote: >>>> On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki <robert@xxxxxxxxxxx> wrote: >>>> > 2016-01-22 23:50 GMT+01:00 Kees Cook <keescook@xxxxxxxxxxxx>: >>>> > >>>> > > > Seems that Debian and some older Ubuntu versions are already using >>>> > > > >>>> > > > $ sysctl -a | grep usern >>>> > > > kernel.unprivileged_userns_clone = 0 >>>> > > > >>>> > > > Shall we be consistent wit it? >>>> > > >>>> > > Oh! I didn't see that on systems I checked. On which version did you find that? >>>> > >>>> > $ uname -a >>>> > Linux bc1 4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-5~bpo8+1 >>>> > (2016-01-07) x86_64 GNU/Linux >>>> > $ cat /etc/debian_version >>>> > 8.2 >>>> >>>> Ah-ha, Debian only, though it looks like this was just committed to >>>> the Ubuntu kernel tree too: >>>> >>>> >>>> > IIRC some older kernels delivered with Ubuntu Precise were also using >>>> > it (but maybe I'm mistaken) >>>> >>>> I don't see it there. >>>> >>>> I think my patch is more complete, but I'm happy to change the name if >>>> this sysctl has already started to enter the global consciousness. ;) >>>> >>>> Serge, Ben, what do you think? >>> >>> I agree that using the '_restrict' suffix for new restrictions makes >>> sense. I also don't think that a third possible value for >>> kernel.unprivileged_userns_clone would would be understandable. >>> >>> I would probably make kernel.unprivileged_userns_clone a wrapper for >>> kernel.userns_restrict in Debian, then deprecate and eventually remove >>> it. >> >> Okay, cool. We'll keep my patch as-is then. Thanks! > > We still need to deal with the capable check in the write handler though, right? > > But I must be missing something: why is mode 0644 insufficient? Yeah, separate issue. I think it's a corner case: a non-cap root user using a setuid tool to write to sysctls. It's worth solving, but I'd like to land the CLONE_NEWUSER sysctl first; it's much more urgent. -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
