Re: [kernel-hardening] Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled

From: Ben Hutchings
Date: Fri Jan 22 2016 - 20:00:53 EST


On Fri, 2016-01-22 at 15:00 -0800, Kees Cook wrote:
> On Fri, Jan 22, 2016 at 2:55 PM, Robert ÅwiÄcki <robert@xxxxxxxxxxx> wrote:
> > 2016-01-22 23:50 GMT+01:00 Kees Cook <keescook@xxxxxxxxxxxx>:
> >
> > > > Seems that Debian and some older Ubuntu versions are already using
> > > >
> > > > $ sysctl -a | grep usern
> > > > kernel.unprivileged_userns_clone = 0
> > > >
> > > > Shall we be consistent wit it?
> > >
> > > Oh! I didn't see that on systems I checked. On which version did you find that?
> >
> > $ uname -a
> > Linux bc1 4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-5~bpo8+1
> > (2016-01-07) x86_64 GNU/Linux
> > $ cat /etc/debian_version
> > 8.2
>
> Ah-ha, Debian only, though it looks like this was just committed to
> the Ubuntu kernel tree too:
>
>
> > IIRC some older kernels delivered with Ubuntu Precise were also using
> > it (but maybe I'm mistaken)
>
> I don't see it there.
>
> I think my patch is more complete, but I'm happy to change the name if
> this sysctl has already started to enter the global consciousness. ;)
>
> Serge, Ben, what do you think?

I agree that using the '_restrict' suffix for new restrictions makes
sense. ÂI also don't think that a third possible value for
kernel.unprivileged_userns_clone would would be understandable.

I would probably make kernel.unprivileged_userns_clone a wrapper for
kernel.userns_restrict in Debian, then deprecate and eventually remove
it.

Ben.

--
Ben Hutchings
Life is what happens to you while you're busy making other plans.
- John Lennon

Attachment: signature.asc
Description: This is a digitally signed message part