[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87io2degsu.fsf@x220.int.ebiederm.org>
Date: Thu, 28 Jan 2016 11:48:33 -0600
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Kees Cook <keescook@...omium.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Al Viro <viro@...iv.linux.org.uk>,
"Serge E. Hallyn" <serge.hallyn@...ntu.com>,
Andy Lutomirski <luto@...nel.org>,
"Austin S. Hemmelgarn" <ahferroin7@...il.com>,
Richard Weinberger <richard@....at>,
Robert Święcki <robert@...ecki.net>,
Dmitry Vyukov <dvyukov@...gle.com>,
David Howells <dhowells@...hat.com>,
Kostya Serebryany <kcc@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
Sasha Levin <sasha.levin@...cle.com>,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled
Kees Cook <keescook@...omium.org> writes:
> + if (sysctl_userns_restrict && !(capable(CAP_SYS_ADMIN) &&
> + capable(CAP_SETUID) &&
> + capable(CAP_SETGID)))
> + return -EPERM;
> +
I will also note that the way I have seen containers used this check
adds no security and is not mentioned or justified in any way in your
patch description.
Furthermore this looks like blame shifting. And quite frankly shifting
the responsibility to users if they get hacked is not an acceptable
attitude.
Eric
Powered by blists - more mailing lists