Re: [PATCH v5 0/4] Introduce security_create_user_ns()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Paul Moore <paul@xxxxxxxxxxxxxx> writes:

> At the end of the v4 patchset I suggested merging this into lsm/next
> so it could get a full -rc cycle in linux-next, assuming no issues
> were uncovered during testing

What in the world can be uncovered in linux-next for code that has no in
tree users.

That is one of my largest problems.  I want to talk about the users and
the use cases and I don't get dialog.  Nor do I get hey look back there
you missed it.

Since you don't want to rehash this.  I will just repeat my conclusion
that the patchset appears to introduce an ineffective defense that will
achieve nothing in the defense of the kernel, and so all it will achieve
a code maintenance burden and to occasionally break legitimate users of
the user namespace.

Further the process is broken.  You are changing the semantics of an
operation with the introduction of a security hook.  That needs a
man-page and discussion on linux-abi.  In general of the scrutiny we
give to new systems and changed system calls.  As this change
fundamentally changes the semantics of creating a user namespace.

Skipping that part of the process is not simply disagree that is being
irresponsible.

Eric



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux