Re: [kernel-hardening] Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: kernel-hardening@xxxxxxxxxxxxxxxxxx, "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Subject: Re: [kernel-hardening] Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
From: Daniel Micay <danielmicay@xxxxxxxxx>
Date: Mon, 25 Jan 2016 21:27:58 -0500
Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, Al Viro <viro@xxxxxxxxxxxxxxxxxx>, Richard Weinberger <richard@xxxxxx>, Robert Święcki <robert@xxxxxxxxxxx>, Dmitry Vyukov <dvyukov@xxxxxxxxxx>, David Howells <dhowells@xxxxxxxxxx>, Miklos Szeredi <mszeredi@xxxxxxx>, Kostya Serebryany <kcc@xxxxxxxxxx>, Alexander Potapenko <glider@xxxxxxxxxx>, Eric Dumazet <edumazet@xxxxxxxxxx>, Sasha Levin <sasha.levin@xxxxxxxxxx>, "linux-doc@xxxxxxxxxxxxxxx" <linux-doc@xxxxxxxxxxxxxxx>, "linux-kernel@xxxxxxxxxxxxxxx" <linux-kernel@xxxxxxxxxxxxxxx>
In-reply-to: <CAGXu5jLwwCw9wZA8QYNVrZ2+kHJn7G3sXQZchvqFMYj3bN=DpQ@mail.gmail.com>

> This feature is already implemented by two distros, and likely wanted
> by others. We cannot ignore that.

Date point: Arch Linux won't be enabling CONFIG_USERNS until there's a
way to disable unprivileged user namespaces. The kernel maintainers are
unwilling to carry long-term out-of-tree patches.

https://github.com/sandstorm-io/sandstorm/blob/d270755b1b55e5be6c96df2cce7c914f35f0d2a2/install.sh#L464-L474

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
  - From: Kees Cook
- Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
  - From: Eric W. Biederman
- Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
  - From: Andy Lutomirski
- Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
  - From: Kees Cook
- Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
  - From: Andy Lutomirski
- Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
  - From: Kees Cook
- Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
  - From: Eric W. Biederman
- Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
  - From: Kees Cook

Prev by Date: Re: [PATCH] kernel-doc: add support for asciidoc output
Next by Date: [PATCH v7 0/9] watchdog: Add support for keepalives triggered by infrastructure
Previous by thread: Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
Next by thread: Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Linux FS] [Yosemite Forum] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper] [Linux Resources]