Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87wpqteh4y.fsf@x220.int.ebiederm.org>
Date: Thu, 28 Jan 2016 11:41:17 -0600
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Kees Cook <keescook@...omium.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,  Al Viro
 <viro@...iv.linux.org.uk>,  "Serge E. Hallyn" <serge.hallyn@...ntu.com>,
  Andy Lutomirski <luto@...nel.org>,  "Austin S. Hemmelgarn"
 <ahferroin7@...il.com>,  Richard Weinberger <richard@....at>,  Robert
 Święcki <robert@...ecki.net>,  Dmitry Vyukov
 <dvyukov@...gle.com>,  David Howells <dhowells@...hat.com>,  Kostya
 Serebryany <kcc@...gle.com>,  Alexander Potapenko <glider@...gle.com>,
  Eric Dumazet <edumazet@...gle.com>,  Sasha Levin
 <sasha.levin@...cle.com>,  linux-doc@...r.kernel.org,
  linux-kernel@...r.kernel.org,  kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled

Kees Cook <keescook@...omium.org> writes:

> There continue to be unexpected security exposures when users have access
> to CLONE_NEWUSER.

So how does this sucessfully address that issue?

> For admins of systems that do not use user namespaces
> and are running distro kernels with CONFIG_USER_NS enabled, there is
> no way to disable CLONE_NEWUSER. This provides a way for sysadmins to
> disable the feature to reduce their attack surface without needing to
> rebuild their kernels.
>
> This is inspired by a similar restriction in Grsecurity, but adds
> a sysctl.
>

I have already nacked this patch.   Thank you for removing the broken
capability in sysctl check.  But this does not address any of the other
issues I have raised.

Nacked-by: "Eric W. Biederman" <ebiederm@...ssion.com>

Further as far as I can tell this is just about a witch hunt.  Isn't
that what you call a campaign against something when the complaining
party does not understand something persecutes it and does not bother to
try and understand?

I have already told you what kind of direction would be acceptable.  I
gave concrete suggests and here you are wasting our time with this patch
again.

Eric

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.