lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 21 May 2024 17:12:16 +0300
From: "Jarkko Sakkinen" <jarkko@...nel.org>
To: "John Johansen" <john.johansen@...onical.com>, "Jonathan Calmels"
 <jcalmels@...0.net>, "Casey Schaufler" <casey@...aufler-ca.com>
Cc: <brauner@...nel.org>, <ebiederm@...ssion.com>, "Luis Chamberlain"
 <mcgrof@...nel.org>, "Kees Cook" <keescook@...omium.org>, "Joel Granados"
 <j.granados@...sung.com>, "Serge Hallyn" <serge@...lyn.com>, "Paul Moore"
 <paul@...l-moore.com>, "James Morris" <jmorris@...ei.org>, "David Howells"
 <dhowells@...hat.com>, <containers@...ts.linux.dev>,
 <linux-kernel@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>,
 <linux-security-module@...r.kernel.org>, <keyrings@...r.kernel.org>
Subject: Re: [PATCH 0/3] Introduce user namespace capabilities

On Tue May 21, 2024 at 4:57 PM EEST, John Johansen wrote:
> > One tip: I think this is wrong forum to present namespace ideas in the
> > first place. It would be probably better to talk about this with e.g.
> > systemd or podman developers, and similar groups. There's zero evidence
> > of the usefulness. Then when you go that route and come back with actual
> > users, things click much more easily. Now this is all in the void.
> > 
> > BR, Jarkko
>
> Jarkko,
>
> this is very much the right forum. User namespaces exist today. This
> is a discussion around trying to reduce the exposed kernel surface
> that is being used to attack the kernel.

Agreed, that was harsh way to put it. What I mean is that if this
feature was included, would it be enabled by distributions?

This user base part or potential user space part is not very well
described in the cover letter. I.e. "motivation" to put it short.

I mean the technical details are really in detail in this patch set but
it would help to digest them if there was some even rough description
how this would be deployed.

If the motivation should be obvious, then it is beyond me, and thus
would be nice if that obvious thing was stated that everyone else gets.

E.g. I like to sometimes just test quite alien patch sets for the sake
of learning and fun (or not so fun, depends) but this patch set does not
deliver enough information to do anything at all.

Hope this clears a bit where I stand. IMHO a good patch set should bring
the details to the specialists on the topic but also have some wider
audience motivational stuff in order to make clear where it fits in this
world :-)

BR, Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ