Re: [oss-security] Summary of security bugs (now fixed) in user namespaces

From: Florian Weimer
Date: Tue Apr 16 2013 - 08:19:37 EST

Next message: Josh Boyer: "Re: print out hardware name & modules list when we encounter bad page tables."
Previous message: Andy Shevchenko: "Re: [PATCH v2 0/5] dmaengine: add ACPI DMA helpers and use them indw_dmac"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 04/13/2013 07:16 PM, Andy Lutomirski wrote:

I previously reported these bugs privatley. I'm summarizing them for
the historical record. These bugs were never exploitable on a
default-configured released kernel, but some 3.8 versions are
vulnerable depending on configuration.

Looking at this list, is there some way to restrict this new functionality to, say, membership in a certain group? At present, most system users (daemons) do not need this functionality, so it would make sense to restrict access to it.

Or is the expectation that we disable CONFIG_USER_NS until things stabilize further?

--
Florian Weimer / Red Hat Product Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Josh Boyer: "Re: print out hardware name & modules list when we encounter bad page tables."
Previous message: Andy Shevchenko: "Re: [PATCH v2 0/5] dmaengine: add ACPI DMA helpers and use them indw_dmac"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]