lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhSbKct_hY4UNS0oyqsov9ELxXeQc4rqpRO7AuLKfWrGDA@mail.gmail.com> Date: Wed, 20 Jul 2022 10:52:23 -0400 From: Paul Moore <paul@...l-moore.com> To: Karl MacMillan <karl@...badwolfsecurity.com> Cc: Frederick Lawler <fred@...udflare.com>, andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org, brauner@...nel.org, casey@...aufler-ca.com, daniel@...earbox.net, ebiederm@...ssion.com, eparis@...isplace.org, jackmanb@...omium.org, jmorris@...ei.org, john.fastabend@...il.com, kafai@...com, kernel-team@...udflare.com, kpsingh@...nel.org, linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org, linux-security-module@...r.kernel.org, netdev@...r.kernel.org, revest@...omium.org, selinux@...r.kernel.org, serge@...lyn.com, shuah@...nel.org, songliubraving@...com, stephen.smalley.work@...il.com, yhs@...com Subject: Re: [PATCH v2 4/4] selinux: Implement create_user_ns hook On Tue, Jul 19, 2022 at 10:42 PM Karl MacMillan <karl@...badwolfsecurity.com> wrote: > On Thu, Jul 7, 2022 at 6:34 PM Frederick Lawler <fred@...udflare.com> wrote: >> >> Unprivileged user namespace creation is an intended feature to enable >> sandboxing, however this feature is often used to as an initial step to >> perform a privilege escalation attack. >> >> This patch implements a new namespace { userns_create } access control >> permission to restrict which domains allow or deny user namespace >> creation. This is necessary for system administrators to quickly protect >> their systems while waiting for vulnerability patches to be applied. >> >> This permission can be used in the following way: >> >> allow domA_t domB_t : namespace { userns_create }; > > > Isn’t this actually domA_t domA_t : namespace . . . > > I got confused reading this initially trying to figure out what the second domain type would be, but looking at the code cleared that up. Ah, good catch, thanks Karl! -- paul-moore.com
Powered by blists - more mailing lists