lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 20 Jul 2022 10:52:23 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     Karl MacMillan <karl@...badwolfsecurity.com>
Cc:     Frederick Lawler <fred@...udflare.com>, andrii@...nel.org,
        ast@...nel.org, bpf@...r.kernel.org, brauner@...nel.org,
        casey@...aufler-ca.com, daniel@...earbox.net,
        ebiederm@...ssion.com, eparis@...isplace.org,
        jackmanb@...omium.org, jmorris@...ei.org, john.fastabend@...il.com,
        kafai@...com, kernel-team@...udflare.com, kpsingh@...nel.org,
        linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
        linux-security-module@...r.kernel.org, netdev@...r.kernel.org,
        revest@...omium.org, selinux@...r.kernel.org, serge@...lyn.com,
        shuah@...nel.org, songliubraving@...com,
        stephen.smalley.work@...il.com, yhs@...com
Subject: Re: [PATCH v2 4/4] selinux: Implement create_user_ns hook

On Tue, Jul 19, 2022 at 10:42 PM Karl MacMillan
<karl@...badwolfsecurity.com> wrote:
> On Thu, Jul 7, 2022 at 6:34 PM Frederick Lawler <fred@...udflare.com> wrote:
>>
>> Unprivileged user namespace creation is an intended feature to enable
>> sandboxing, however this feature is often used to as an initial step to
>> perform a privilege escalation attack.
>>
>> This patch implements a new namespace { userns_create } access control
>> permission to restrict which domains allow or deny user namespace
>> creation. This is necessary for system administrators to quickly protect
>> their systems while waiting for vulnerability patches to be applied.
>>
>> This permission can be used in the following way:
>>
>>         allow domA_t domB_t : namespace { userns_create };
>
>
> Isn’t this actually domA_t domA_t : namespace . . .
>
> I got confused reading this initially trying to figure out what the second domain type would be, but looking at the code cleared that up.

Ah, good catch, thanks Karl!

-- 
paul-moore.com

Powered by blists - more mailing lists