lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <D1B8NSWK7C8W.2793LJVZT01LD@kernel.org>
Date: Thu, 16 May 2024 20:18:22 +0300
From: "Jarkko Sakkinen" <jarkko@...nel.org>
To: "Paul Moore" <paul@...l-moore.com>, "Jonathan Calmels"
 <jcalmels@...0.net>, "Serge Hallyn" <serge@...lyn.com>
Cc: <brauner@...nel.org>, <ebiederm@...ssion.com>, "Luis Chamberlain"
 <mcgrof@...nel.org>, "Kees Cook" <keescook@...omium.org>, "Joel Granados"
 <j.granados@...sung.com>, "James Morris" <jmorris@...ei.org>, "David
 Howells" <dhowells@...hat.com>, <containers@...ts.linux.dev>,
 <linux-kernel@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>,
 <linux-security-module@...r.kernel.org>, <keyrings@...r.kernel.org>
Subject: Re: [PATCH 0/3] Introduce user namespace capabilities

On Thu May 16, 2024 at 7:23 PM EEST, Paul Moore wrote:
> On Thu, May 16, 2024 at 5:21 AM Jonathan Calmels <jcalmels@...0.net> wrote:
> >
> > It's that time of the year again where we debate security settings for user
> > namespaces ;)
> >
> > I’ve been experimenting with different approaches to address the gripe
> > around user namespaces being used as attack vectors.
> > After invaluable feedback from Serge and Christian offline, this is what I
> > came up with.
>
> As Serge is the capabilities maintainer it would be good to hear his
> thoughts on-list about this proposal.

Also it would make sense to make this just a bit more digestible to a
wider group of maintainers, i.e. a better introduction to the topic
instead of huge list of references (no bandwidth to read them all).

This is exactly kind of patch set that makes you ignore it unless
you are pro-active exactly in this domain.

I think this could bring more actually useful feedback.

BR, Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ