Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled

From: Eric W. Biederman
Date: Thu Jan 28 2016 - 12:58:49 EST

Kees Cook <keescook@xxxxxxxxxxxx> writes:

> + if (sysctl_userns_restrict && !(capable(CAP_SYS_ADMIN) &&
> + capable(CAP_SETUID) &&
> + capable(CAP_SETGID)))
> + return -EPERM;
> +

I will also note that the way I have seen containers used this check
adds no security and is not mentioned or justified in any way in your
patch description.

Furthermore this looks like blame shifting. And quite frankly shifting
the responsibility to users if they get hacked is not an acceptable