Re: [GIT PULL] LSM patches for v6.1

From: Linus Torvalds
Date: Tue Oct 04 2022 - 17:31:03 EST

Next message: Dmitry Torokhov: "[PATCH 1/4] ARM: dts: omap3-n900: fix LCD reset line polarity"
Previous message: Jarkko Sakkinen: "[GIT PULL] tpmdd updates for Linux v6.1-rc1"
In reply to: Linus Torvalds: "Re: [GIT PULL] LSM patches for v6.1"
Next in thread: Eric W. Biederman: "Re: [GIT PULL] LSM patches for v6.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Oct 4, 2022 at 1:55 PM Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> So this whole "don't do this" approach you have is not acceptable.

Side note: if we have a security hook for "create random file", then
the notion that creating a whole new namespace somehow must not have
any security hooks because it's *so* special is just ridiculous.

I also note that right now USER_NS is both "default n" and "if not
sure, say 'n'" in the Kconfig files, even though obviously that ship
has sailed long ago.

So originally it might have been a reasonable expectation to say "only
enable this if you're doing containers in servers", but that clearly
isn't the case any more. So we basically take USER_NS for granted, but
the fact that people might want chrome to use it for sandboxing does
*not* mean that randomly we want any CLONE_NEWNS to just be ok,
regardless of how trusted (or not) the case is.

Linus

Next message: Dmitry Torokhov: "[PATCH 1/4] ARM: dts: omap3-n900: fix LCD reset line polarity"
Previous message: Jarkko Sakkinen: "[GIT PULL] tpmdd updates for Linux v6.1-rc1"
In reply to: Linus Torvalds: "Re: [GIT PULL] LSM patches for v6.1"
Next in thread: Eric W. Biederman: "Re: [GIT PULL] LSM patches for v6.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]