Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled

From: Eric W. Biederman
Date: Thu Jan 28 2016 - 12:51:07 EST

Kees Cook <keescook@xxxxxxxxxxxx> writes:

> There continue to be unexpected security exposures when users have access

So how does this sucessfully address that issue?

> For admins of systems that do not use user namespaces
> and are running distro kernels with CONFIG_USER_NS enabled, there is
> no way to disable CLONE_NEWUSER. This provides a way for sysadmins to
> disable the feature to reduce their attack surface without needing to
> rebuild their kernels.
> This is inspired by a similar restriction in Grsecurity, but adds
> a sysctl.

I have already nacked this patch. Thank you for removing the broken
capability in sysctl check. But this does not address any of the other
issues I have raised.

Nacked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>

Further as far as I can tell this is just about a witch hunt. Isn't
that what you call a campaign against something when the complaining
party does not understand something persecutes it and does not bother to
try and understand?

I have already told you what kind of direction would be acceptable. I
gave concrete suggests and here you are wasting our time with this patch