Re: [kernel-hardening] Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled

From: Serge E. Hallyn
Date: Thu Jan 28 2016 - 03:57:03 EST

On Mon, Jan 25, 2016 at 10:57:32PM -0600, Eric W. Biederman wrote:
> What sounds like a generally useful feature that would cover your use
> case and many others is a per user limit on the number of user
> namespaces users may create.

Ok, I'm sorry, but after thinking about this quite awhile, I think this
is a bad idea. If I'm allowed to create exactly one, then (a) I won't
be able to run two instances of chrome (does chrome use one userns per
tab or per application?), yet (b) i can easily just not use chrome and
use my allocation to run a vulnerability.

IMO, having a (hopefully temporary, so cleanly separated out) sysctl,
which perhaps goes so far as to kill all non-init user namespaces when
set to -1, makes the most sense. I still think the harm due to having
userspace not being able to rely on user namespaces will, long term, be
worse than the security implications of having user namespaces always