lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Wed, 20 Jul 2022 10:52:23 -0400
From:   Paul Moore <>
To:     Karl MacMillan <>
Cc:     Frederick Lawler <>,,,,,,,,,,,,,,,,,,,,,,,,,
Subject: Re: [PATCH v2 4/4] selinux: Implement create_user_ns hook

On Tue, Jul 19, 2022 at 10:42 PM Karl MacMillan
<> wrote:
> On Thu, Jul 7, 2022 at 6:34 PM Frederick Lawler <> wrote:
>> Unprivileged user namespace creation is an intended feature to enable
>> sandboxing, however this feature is often used to as an initial step to
>> perform a privilege escalation attack.
>> This patch implements a new namespace { userns_create } access control
>> permission to restrict which domains allow or deny user namespace
>> creation. This is necessary for system administrators to quickly protect
>> their systems while waiting for vulnerability patches to be applied.
>> This permission can be used in the following way:
>>         allow domA_t domB_t : namespace { userns_create };
> Isn’t this actually domA_t domA_t : namespace . . .
> I got confused reading this initially trying to figure out what the second domain type would be, but looking at the code cleared that up.

Ah, good catch, thanks Karl!


Powered by blists - more mailing lists