lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7354132e-c09b-ac41-add5-116b79bc1a4a@oracle.com>
Date:   Thu, 6 Oct 2022 10:29:34 +0200
From:   Vegard Nossum <vegard.nossum@...cle.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>,
        "Eric W. Biederman" <ebiederm@...ssion.com>
Cc:     Paul Moore <paul@...l-moore.com>,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [GIT PULL] LSM patches for v6.1


On 10/4/22 22:55, Linus Torvalds wrote:
> And I think you are in denial about how many problems the
> user-namespace stuff has caused.
> 
> Distros are literally turning it off entirely because the whole "let
> users create their own namespace" has *NOT* been a great success.

[...]

> I'm not saying that an LSM is the only place to do it, but I don't
> think there have been any better suggestions either.

I had posted a patch here for restricting module loading requests from
user namespaces as a way to reduce attack surface:

v2: 
https://lore.kernel.org/all/20220815082753.6088-1-vegard.nossum@oracle.com/

v1: 
https://lore.kernel.org/all/20220809185229.28417-1-vegard.nossum@oracle.com/

I'll respond to Serge's comment on the v2 thread.


Vegard

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ