On 26 July 2016 at 18:52, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > On Tue, Jul 26, 2016 at 8:06 AM, Eric W. Biederman > <ebiederm@xxxxxxxxxxxx> wrote: >> "Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> writes: >> >>> Hello Eric, >>> >>> I realized I had a question after the last mail. >>> >>> On 07/21/2016 06:39 PM, Eric W. Biederman wrote: >>>> >>>> This patchset addresses two use cases: >>>> - Implement a sane upper bound on the number of namespaces. >>>> - Provide a way for sandboxes to limit the attack surface from >>>> namespaces. >>> >>> Can you say more about the second point? What exactly is the >>> problem that is being addressed, and how does the patch series >>> address it? (It would be good to have those details in the >>> revised commit message...) >> >> At some point it was reported that seccomp was not sufficient to disable >> namespace creation. I need to go back and look at that claim to see >> which set of circumstances that was referring to. Seccomp doesn't stack >> so I can see why it is an issue. > > seccomp does stack. The trouble usually comes from a perception that > seccomp overhead is not trivial, so setting a system-wide policy is a > bit of a large hammer for such a limitiation. Also, at the time, > seccomp could be bypasses with ptrace, but this (as of v4.8) is no > longer true. Sounds like someone needs to send me a patch for the seccomp.2 man page? Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
