lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <87shuwtp4c.fsf@x220.int.ebiederm.org> Date: Tue, 26 Jul 2016 10:06:59 -0500 From: ebiederm@...ssion.com (Eric W. Biederman) To: "Michael Kerrisk \(man-pages\)" <mtk.manpages@...il.com> Cc: Linux Containers <containers@...ts.linux-foundation.org>, Andy Lutomirski <luto@...capital.net>, Jann Horn <jann@...jh.net>, Kees Cook <keescook@...omium.org>, Nikolay Borisov <kernel@...p.com>, "Serge E. Hallyn" <serge@...lyn.com>, Seth Forshee <seth.forshee@...onical.com>, linux-fsdevel@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, linux-api@...r.kernel.org Subject: Re: [PATCH v2 00/10] userns: sysctl limits for namespaces "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com> writes: > Hello Eric, > > I realized I had a question after the last mail. > > On 07/21/2016 06:39 PM, Eric W. Biederman wrote: >> >> This patchset addresses two use cases: >> - Implement a sane upper bound on the number of namespaces. >> - Provide a way for sandboxes to limit the attack surface from >> namespaces. > > Can you say more about the second point? What exactly is the > problem that is being addressed, and how does the patch series > address it? (It would be good to have those details in the > revised commit message...) At some point it was reported that seccomp was not sufficient to disable namespace creation. I need to go back and look at that claim to see which set of circumstances that was referring to. Seccomp doesn't stack so I can see why it is an issue. The general problem is that namespaces by their nature (and especially in combination with the user namespaces) allow unprivileged users to use more of the kernel than a user would have access to without them. This in turn allows malicious users more kernel calls they can use in attempt to find an exploitable bug. So if you are building a sandbox/chroot jail/chromium tab or anything like that and you know you won't be needing a kernel feature having an easy way to disable the feature is useful for making the kernel marginally more secure, as certain attack vectors are no longer possible. Eric
Powered by blists - more mailing lists