Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled

From: Eric W. Biederman
Date: Thu Jan 28 2016 - 12:58:49 EST

Next message: Jason Baron: "Re: [PATCH] epoll: add exclusive wakeups flag"
Previous message: Luis Henriques: "Re: [PATCH 3.14 30/59] xhci: refuse loading if nousb is used"
In reply to: Kees Cook: "Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled"
Next in thread: Robert ÅwiÄcki: "Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kees Cook <keescook@xxxxxxxxxxxx> writes:

> + if (sysctl_userns_restrict && !(capable(CAP_SYS_ADMIN) &&
> + capable(CAP_SETUID) &&
> + capable(CAP_SETGID)))
> + return -EPERM;
> +

I will also note that the way I have seen containers used this check
adds no security and is not mentioned or justified in any way in your
patch description.

Furthermore this looks like blame shifting. And quite frankly shifting
the responsibility to users if they get hacked is not an acceptable
attitude.

Eric

Next message: Jason Baron: "Re: [PATCH] epoll: add exclusive wakeups flag"
Previous message: Luis Henriques: "Re: [PATCH 3.14 30/59] xhci: refuse loading if nousb is used"
In reply to: Kees Cook: "Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled"
Next in thread: Robert ÅwiÄcki: "Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]